cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1278
Views
10
Helpful
2
Replies
Justin Kurynny
Enthusiast

ISE 1.2 CWA with Multiple PSNs - SessionID Replication / Session Expired

Hi all.

I have a (2) Policy Services Nodes (PSNs) in an ISE 1.2 deployment running patch 1. We are using Wireless MAB and CWA on 5760 Wireless LAN Controllers running v3.3.3.

We are hitting an issue wherein a client first passes MAB and then gets redirected to a CWA custom portal. The client then receives a Session Expired message. This seems to be related to the fact that CWA is technically a 2-stage authentication (MAB by the WLC and then CWA by the client). Specifically, it seems to happen when the WLC makes its MAB RADIUS access-request to PSN-1 and then the client comes in to PSN-2 to complete the CWA. This issue does not happen when only one PSN is in use and all authentication traffic (both MAB RADIUS and CWA) is directed at a single PSN.

Clients resolve the FQDN in the redirect URL using public DNS and a public DNS zone file (call it cwa-portal.example.com). cwa-portal.example.com has two A records for the two PSN nodes. DNS is responding to queries using DNS round-robin.

I have the PSNs configured in a Node Group for session information replication between PSNs, but this doesn't seem to make a difference in behavior.

 

So I ask:

What is the recommended architecture for CWA when using more than one PSN? It seems that you would need to keep the two authentication flows pinned together so that they both hit the same PSN when using more than one PSN in a deployment. A load balancer balancing on the SessionID string comes to mind (both the RADIUS MAB request and the CWA URL contain this unique per-client SessionID), but that seems terribly overbuilt for a seemingly simple problem. On the other hand, it also seems like using a Node Group setup should easily be able to replicate client SessionIDs to all nodes in the deployment so that this isn't an issue. I.e., if the WLC authenticates MAB on PSN-1, then PSN-1 should tell the Node Group about it such that when the client CWA's on PSN-2, PSN-2 doesn't respond with a Session Expired message.

Is there any Cisco documentation that talks about this?

 

Possibly related:
https://supportforums.cisco.com/discussion/12131531/ise-12-guest-access-session-expired

 

Justin

1 ACCEPTED SOLUTION

Accepted Solutions
Timothy Abbott
Cisco Employee

Hi Justin,

Node groups are primarily used for redundancy for sessions that are in posture pending status.  So because the controller is configured to use PSN-1 as the first RADIUS server, PSN-1 will have the session information for the client.  That information is not shared with PSN-2 which is why you are seeing "session expired."  In short, the node that handled the MAB request, needs to be the node that serves the custom portal.

 

DNS round robin is best for use with Sponsor portal and My Devices portal with a FQDN similar to sponosr.example.com and mydevices.example.com.  For CWA, a load-balancer is the best option if you want to employ multiple PSNs.  Aaron Woland wrote and article covering ISE and Load Balancing.  F5 also has some useful information on how to configure their load balancers with Cisco ISE.

 

Regards,

Tim

View solution in original post

2 REPLIES 2
Timothy Abbott
Cisco Employee

Hi Justin,

Node groups are primarily used for redundancy for sessions that are in posture pending status.  So because the controller is configured to use PSN-1 as the first RADIUS server, PSN-1 will have the session information for the client.  That information is not shared with PSN-2 which is why you are seeing "session expired."  In short, the node that handled the MAB request, needs to be the node that serves the custom portal.

 

DNS round robin is best for use with Sponsor portal and My Devices portal with a FQDN similar to sponosr.example.com and mydevices.example.com.  For CWA, a load-balancer is the best option if you want to employ multiple PSNs.  Aaron Woland wrote and article covering ISE and Load Balancing.  F5 also has some useful information on how to configure their load balancers with Cisco ISE.

 

Regards,

Tim

View solution in original post

Tim,

Thanks for your reply and confirming my suspicion. Hopefully a future version of ISE will provide automated SessionID synchronization among PSNs so that front-end finagling in a multi-PSN environment won't be necessary.

For anyone else with this issue who for whatever reason can't implement a load balancer(s), I built an automated EEM applet running on a "watchdog" switch (3750 running 12.2(55)SEE9) using IPSLA tracking that senses when PSN1 is down and then

  1. modifies an ASA to change its client-facing NAT statement for PSN1 to PSN2
  2. modifies the primary and HA wireless LAN controllers to change its MAB RADIUS aaa server group to use PSN2
  3. reverts the ASA and WLCs to using PSN1 when PSN1 is detected up and running again

The applet ensures the SessionID authentications stay "glued" together so that both WLCs and the client hit the same PSN for both stages of authentication. It's failover only, not a load balancing solution, but it meets our current project's need for an automated HA environment.

PM me if you want the code. I'm have a little too much going on ATM to sanitize and post it. :)

 

Justin

Content for Community-Ad