Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
690
Views
0
Helpful
2
Replies

Guest CWA and Reverse Proxy

ryanschuett
Level 1
Level 1

‎05-22-2018 12:14 PM

Hello Security Community,

Here is the following scenario (high level),

- Guest wireless network which only has access to DMZ resources - DNS resolution and load-balancer. Guests have separate Internet connection.

- DMZ which contains DNS servers and load-balancer

- Internal LAN with Cisco ISE nodes and WLC management.

The security posture is for the guest network is to "one hop" through the DMZ before hitting the internal LAN. The idea being that there is an expectant source IP (SNIP of the loadbalancers) on the firewall and an expectant destination IP, instead of allowing the entire source addressing of the guest subnet to reach internal resources. This allows for more cohesive manageability of rules and a single source-destination that can be shut down if there is some sort of breach.

Guests would be redirected to guest.yyy.com upon connecting to the wireless (redirection address from ISE). The DNS server in the DMZ would resolve this address to the VIP of the load-balancer. The load-balancer would point the VIP to the internal ISE PSN's. As well, the PSN's would be resolved to the VIP of the load-balancer, so all traffic goes though this VIP.

Question - If the load-balancer in the DMZ is setup to reverse-proxy the guest traffic to ISE (VIP in Guest subnet) for the reasons above, will ISE accept a connection (CWA redirect to successful authentication) from the reverse-proxy if the source of the HTTP request is not the same as the true source of the guest IP address?

Or does the guest need to have direct access to the PSN on the required ports (web ports) for the CWA experience to behave properly and provide a successful authentication.

Thanks!

Ryan

0 Helpful
2 Replies 2

Jason Kunst
Cisco Employee
Cisco Employee

‎05-22-2018 12:25 PM

I moved this to the Public Community To allow maximum exposure and experience and capabilities to comment on this thread. The guest is going to need to communicate to the PSN directly as far as I know

Also the network access device will need to communicate to that same PSN

0 Helpful

Craig Hyps
Level 10
Level 10
In response to Jason Kunst

‎05-23-2018 04:48 AM

It would not be a reverse proxy config, per se, but rather you can config ISE so that return authorization points to LB VIP.  Here the LB must have logic to pin HTTPS requests to RADIUS requests.

0 Helpful
Customers Also Viewed These Support Documents