cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3030
Views
5
Helpful
6
Replies

guest portal redirection with mulple PSNs

Gaj Ana
Level 1
Level 1

Hi All

 

In a distributed deployment where there is more than one PSN's how do we have a common url for guest redirection when doing a CWA (assuming no load balancer is used for the PSNs)? usually the redirection url would be 'https://<ise01.fqdn/guetsportal" or 'https://<ise02.fqdn/guetsportal" and we can only specify one in the wlc guest ssid?

 

Thanks

 

6 Replies 6

Saurav Lodh
Level 7
Level 7

Fully Qualified Domain Name in URL Redirection

When Cisco ISE builds an authorization profile redirect (for central web authentication, device registration web authentication, native supplicant provisioning, mobile device management, and client provisioning and posture services), the resulting cisco-av-pair includes a string similar to the following:

url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa

When processing this request, Cisco ISE substitutes actual values for some keywords in this string. For example, SessionIdValue is replaced with the actual session ID of the request. For eth0 interface, Cisco ISE replaces the IP in the URL with the FQDN of the Cisco ISE node. For non-eth0 interfaces, Cisco ISE uses the IP address in the URL. You can assign a host alias(name) for interfaces eth1 through eth3, which Cisco ISE can then substitute in place of IP address during URL redirection. To do this, you can use the ip host command in the configuration mode from the Cisco ISE CLI:

ISE /admin(config)# ip host IP_address host-alias FQDN-string

where IP_address is the IP address of the network interface (eth1 or eth2 or eth3)

host-alias is the name that you assign to the network interface

FQDN-string is the fully qualified domain name of the network interface

Using this command, you can assign a host-alias or an FQDN-string or both to a network interface.

Here is an example:

ISE/admin(config)# ip host a.b.c.d sales sales.amer.xyz.com

After you assign a host alias to the non-eth0 interface, you must restart the application services on Cisco ISE using the application start ise command.

Use the no form of this command to remove the association of the host alias with the network interface:

ISE/admin(config)# no ip-host IP_address host-alias FQDN-string

Use the show running-config command to view the host alias definitions.

If you provide the FQDN-string, Cisco ISE replaces the IP address in the URL with the FQDN. If you provide only the host alias, Cisco ISE combines the host alias with the configured IP domain name to form a complete FQDN, and replaces the IP address in the URL with the FQDN. If you do not map a network interface to a host alias, then Cisco ISE uses the IP address of the network interface in the URL.

When you make use of non-eth0 interfaces for client provisioning or native supplicant or guest flows, you have to make sure that the IP address or host alias for non-eth0 interfaces should be configured appropriately in the Policy Service node certificate's SAN fields.

This doesn't answer the question. The purpose is to have the same URL no matter how many PSNs you have.

Hi Salodh,

Thankyou for the feedback, my purpose was different but this information was also useful.

Regs

G

 

jan.nielsen
Level 7
Level 7

Hi There,

Why do you wan't a common url ? CWA with ISE works the way you describe yourself, ISE puts the psn hostname in the url by itself, depending on which PSN got the initial radius request from the WLC. This works just fine. If you are concerned about balancing the load between the PSN's, you should search for Aaron Wolands document on load balancing with ise here on the community pages, it's not a simple task.

 

Regards

Jan

Hi Jan,

 

Tahnks for the feedback and that document was useful

 

The reason for having a common url in my case is to have one url for guest access and also not to expose internal fqdn to the guests.

 

Regs

G

jan.nielsen
Level 7
Level 7

Just in case i wasn't completely clear in my answer : If you do no load balancing of your PSNs, you can't have a single url for cwa guest redirect, ISE does not have any built-in load balancing feature.

The reason why load-balancing is a little tricky, is that the session id, which is part of the redirect url, is only known by the PSN that received the initial mab request from the WLC, when the client connected to the SSID. If you load-balance the guest portal, and just randomly or round-robin style redirect to a PSN, you will very likely hit one that does not know that sessionid, and your login will fail. You need to keep the client sticky to the psn that the wlc sent the radius request to.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: