02-17-2023 06:08 AM
In the event that I only have 2 active/standby ISEs, the issue of authentication is clear by having several radius servers, but for example, the captive portal that resolves the active ISE's ip?
Solved! Go to Solution.
02-19-2023 05:31 AM
@jorgeemilio.grillo Normally you'd rely on an external load balancer.
If you don't not have a LB, you could achieve the samething in ISE. Create 2 authorisation rules, the first authz rule matches on the ISE-1 hostname and returns the ISE-1 portal URL. The second authz rule matches on the ISE-2 hostname and returns the ISE-2 portal URL. So which ever ISE PSN node the connection request is received on ISE will redirect to the correct portal.
Refer to Authorisation Profile and Policy Set section in this example:- https://integratingit.wordpress.com/2020/01/19/ise-guest-access/
02-17-2023 11:21 AM
hi @jorgeemilio.grillo , related to the situation you are mentioning , the node that has the PAN persona enable is the node from where you have to connect in order to see the dashboards and have management, the redundancy occurs when you have another node as SAN persona , in the scenario where the SAN is unavailable you can continue having your management within PAN as recovering the node , if the PAN becomes unavailable what you can do is to promote the SAN node to become a provisional PAN , once this procedure is finished you will recover the management whereas working in the previous PAN node, in any case you don't have to do any changes on the IP of the nodes as the node from where you will have the manageability of ISE is the one that has the PAN enabled as persona, to know more about it please refer to the following cisco live presentation from slide 382 https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKSEC-3432.pdf
Let me know if that helped you.
02-19-2023 03:30 AM
Hi Rodrigo Diaz, Thanks for the answer, it's very valuable, but maybe I didn't ask the question.
My question is about how high availability works for the captive guest portal.
As far as I know, each Active/standby ISE has a different ip, there is a name resolution for the portal url to the active ISE ip, what happens when the active portal does not respond?
02-19-2023 05:31 AM
@jorgeemilio.grillo Normally you'd rely on an external load balancer.
If you don't not have a LB, you could achieve the samething in ISE. Create 2 authorisation rules, the first authz rule matches on the ISE-1 hostname and returns the ISE-1 portal URL. The second authz rule matches on the ISE-2 hostname and returns the ISE-2 portal URL. So which ever ISE PSN node the connection request is received on ISE will redirect to the correct portal.
Refer to Authorisation Profile and Policy Set section in this example:- https://integratingit.wordpress.com/2020/01/19/ise-guest-access/
02-19-2023 10:25 AM
Thanks for the answer, it is very valuable, It's clearer to me.
thank you so much
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide