Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4127
Views
15
Helpful
7
Replies

Guest portal in distributed setup

Go to solution
Gaj Ana
Level 1
Level 1

‎03-30-2014 05:49 AM - edited ‎03-10-2019 09:35 PM

Hi All,

How does the guest portal or the sponsor portals work in a distrubuted environment where two or more PSNs are running indivudually. Thats is,

1. does ISE redirects the user to the same guest portal url <PSN1 FQDN>/guestportal or PSN2 FQDN>/guestportal based on which PSN receives the request from a NAD?

2. how do we setup a generic url for the guest so the users will not see the <PSN1 or 2 FQDN> and could see a url like, example abc.com.us/guestportal regardless which POSN serves the request?

Thanks

G

 

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎04-11-2014 10:03 AM

The generic option will not scale across multiple PSNs, I ran into this issue when 1.2 first came out because the session id isnt replicated to all the PSNs. If you want to use a generic guest url your option would be to adjust the generic url to guest1.domain.xxx and guest2.domian.xxx you can then build seperate authorization results for these static hostnames. In your authorization policy you will have to place a condition so that the correct generic url is triggered based on which PSN received the initial mab request.

I havent had a chance to try node groups to see if that will work but that requires the PSNs to be on the same L2 segment.

View solution in original post

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Gaj Ana

‎04-11-2014 11:18 PM

I have had customers submit the multi san csrs if that is your question and it isnt a problem. When you create the csr through ise make sure you follow the user guide and include the cn of the ise node as a san also or ise will not accept the cert.

View solution in original post

7 Replies 7

Go to solution
Muhammad Munir
Level 5
Level 5

‎04-07-2014 11:37 PM

Hi

FYI.

In Cisco ISE distributed deployment, administration and monitoring activities are centralized, and processing is distributed across the Policy Service nodes. Depending on your performance needs, you can scale your deployment. Each Cisco ISE node in a deployment can assume any of the following personas: Administration, Policy Service, and Monitoring. The Inline Posture node cannot assume any other persona, due to its specialized nature. The Inline Posture node must be a dedicated node.

For regarding generic url configuration, please have a look at the following link:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_dis_deploy.html#18995

 

0 Helpful

Go to solution
cciesec2011
Level 3
Level 3

‎04-08-2014 02:49 PM

Only the PSN node can host the Guest login portal.  For example, if you have three PSN nodes, you will have three separate login portal on three separate PSN nodes, same database but different PSN nodes.

Q:  "how do we setup a generic url for the guest so the users will not see the <PSN1 or 2 FQDN> and could see a url like, example abc.com.us/guestportal regardless which POSN serves the request?"

A:  Setup a Load balancer to load-blances your PSN1 and PSN2, either active/standby or Active/active configuration, it does not matter.  Because the PSN nodes share the same database, it will work without any issues, provided that in your radius configuration, you list both PSN1 and PSN2 in there, you should be fine.

 

 

Go to solution
Gaj Ana
Level 1
Level 1
In response to cciesec2011

‎04-10-2014 09:06 AM

Thanks, Can we able to do withou the load balance roption?

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎04-11-2014 10:03 AM

The generic option will not scale across multiple PSNs, I ran into this issue when 1.2 first came out because the session id isnt replicated to all the PSNs. If you want to use a generic guest url your option would be to adjust the generic url to guest1.domain.xxx and guest2.domian.xxx you can then build seperate authorization results for these static hostnames. In your authorization policy you will have to place a condition so that the correct generic url is triggered based on which PSN received the initial mab request.

I havent had a chance to try node groups to see if that will work but that requires the PSNs to be on the same L2 segment.

Go to solution
Gaj Ana
Level 1
Level 1
In response to Tarik Admani

‎04-11-2014 11:13 PM

Hi Tarik, Thanks for getting back. Agree with you, HAve you tried suing a well known CA to sign the above urls for this senario? Tks G
0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Gaj Ana

‎04-11-2014 11:18 PM

I have had customers submit the multi san csrs if that is your question and it isnt a problem. When you create the csr through ise make sure you follow the user guide and include the cn of the ise node as a san also or ise will not accept the cert.

Go to solution
Gaj Ana
Level 1
Level 1
In response to Tarik Admani

‎04-12-2014 06:04 PM

Hi Tarik

If the requirement to use a well known CA signed cert instead of local CA,  in this case have to sign the the ISE CN url + all SAN urls?

 

Tks

G

0 Helpful
Customers Also Viewed These Support Documents