01-20-2016 05:56 AM - edited 03-10-2019 11:24 PM
Hi, folks.
We have an ISE 2.0 Installation (still in test-mode) which consists of the following nodes:
2 x admin node
2 x policy node
2 x monitor node
2 x policy node (profiling only)
Most of the nodes reside in the same subnet/vlan, except for the profiling-only nodes (they only grab a http Monitor session with traffic to the web-proxies).
Following the deployment guides, it would make sense to put all profiling nodes which are on the same subnet into a node Group.
So I created a Group and put the "full" policy nodes into it. So far, so good !!!
Now, what does this node Group accomplish exactly ??? Do the nodes in that Group sync their radius-session data, too ???
I am asking this, because I run into Problems when trying to deploy wired guest-Portals with CWA:
Access Switch:
- Switch has 802.1x mechanism and mab fallback against the ise deployment configured
- It has ip http server and secure server configured
- It has a local Redirect ACL configured
ISE:
- has a mab authentication policy
- has a cwa authorization Profile (with redirect ACL, etc.)
- has an authorization Profile for logged-in guest users (when cwa is done successfully)
Up to this Point, this works fine, BUT:
The customer demands, that the Redirect URL (which is sent to the Clients) does not contain the ISE PSN hostname(s), but a static fqdn that is more reconizable to the guest user (some url with customers Company Name in it.... ).
No Problem, I thought (at first):
Just take the "customer" URL, enter it into DNS for Resolution (backward/Forward) with IP addresses of BOTH policy nodes, check the button "Static IP/Hostname/FQDN" in "common Tasks/web redirection" in the CWA authorization Profile, and that should be it !!
As I found out, it wasn't ....
When the Client authenticates and gets authorized by one of the psns (for example psn01), the Client winds up in cwa authorization Profile.
Now he opens a Webbrowser, enters a Website address, and gets redirected by the Switch to the "customer" URL.
To reach the guest Portal, the Client has to resolve the "customer" URL via DNS, Client gets DNS answer, but the answer contains the IP address of psn02 (because dns Resolution gets load-balanced when more than one entry exists) !!!
But PSN02 does not know this Client or his radius-session, so the Client gets a Website with an error !!!
How do I resolve this ???
How can I use a "static" URL for redirection, when I have more than one PSN that host the Portals....!!
Rgs
Frank
01-20-2016 06:28 AM
I think you need a Loadbalancer in front of the psn's which balances the radius request from the switches as well as the redirects for the clients and persists on the common session id. This way the PSN which got the mab request will also get the client request for the portal. I am not 100% sure if the session id is the corect persistence value however.
01-20-2016 11:40 PM
You can also not use the static hostname but use a "ip host ..." setting via the cli instead to set a different hostname for the portal. This way you can have a customer url which is recognizable but there still would be two of them like guestportal1.customer.com and guestportal2.customer.com. This way no Loadbalancer is needed and all works fine.
01-21-2016 05:36 AM
Hi,
sorry, I did not quite understand what you are trying to say ..... let's try step by step:
Like that ???
What is this supposed to accomplish .. ??
What do I enter in the cwa profile ??? Static fqnd ?? Or not static ??
Rgs
Frank
01-21-2016 05:43 AM
Hi,
yes you enter these commands on the two PSNs. In the CWA profile you uncheck the static fqdn box (so that it is NOT Static like in default profile). After that each psn will send the redirect url with these hostnames that you set on the cli of each node instead of the standard hostname of the ise.
The "ip address of psn 1/2" needs to be the address of the nic where the guestportal is active.
best regards
Thilo
01-21-2016 05:13 AM
Hi,
sadly, a loadbalancer is not an option here, because neither the customer, nor my boss (and his bosses) are willing to buy (and pay for) one .....
Anyway, I think I remember talking to Aaron Woland about this at one of the past ciscoLive's, with the result that it is not quite easy to put PS nodes behind a loadbalancer .... like cwa redirection does not work when PSNs are behind a loadbalancer, a direct path is needed.
This may have been with ISE in older versions, though .....
Rgs
Frank
01-21-2016 05:46 PM
Hello Frank-
While a Load Balancer would be very useful and cool, it is not required for using Node Groups. Node Groups provide many benefits to an ISE deployment:
From the ISE admin guide:
http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20.pdf
Create a Policy Service Node Group
When two or more Policy Service nodes (PSNs) are connected to the same high-speed Local Area Network (LAN), we recommend that you place them in the same node group. This design optimizes the replication of endpoint profiling data by retaining less significant attributes local to the group and reducing the information that is replicated to the remote nodes in the network. Node group members also check on the availability of peer group members. If the group detects that a member has failed, it attempts to reset and recover all URL-redirected sessions on the failed node.
|
We recommend that you make all PSNs in the same local network part of the same node group. PSNs need not be part of a load-balanced cluster to join the same node group. However, each local PSN in a load-balanced cluster should typically be part of the same node group. |
I would recommend you check out BRKSEC-3699 from Cisco Live. It provides further details on the benefits of Node Groups.
I hope this helps!
Thank you for rating helpful posts!
02-21-2016 10:58 PM
Hi Frank,
i have had a similar problem regarding guest portal hosted on different PSNs. I have solved this by configuring two redirect authorization policies which contains the dependency of the PSN which has received the request. That means the client will always be redirected to the guest portal of the PSN that gets the request. The appropriate attribute is called 'Network Access -> ISE Host Name EQUALS <name of psn>. You do not have to load balance with DNS, you should configure an DNS entry for each PSN.
Example:
ISE-Nodes:
ise01 / ise02
DNS-Entries:
guestportal1.company.com => 10.10.10.10
guestportal2.company.com => 10.10.10.11
Authorization-Rules:
1) IF MAB AND Network Access:ISE Host Name EQUALS ise01 THEN CWA to guestportal1.company.com
1) IF MAB AND Network Access:ISE Host Name EQUALS ise02 THEN CWA to guestportal2.company.com
Hope that helps.
BR, Florian
06-10-2016 01:04 AM
Hello to all ISE fans!
I have the same task to give guest users a friendly name in redirect URL, so I configured corresponding static DNS entries in CWA authorization Profiles and created two Authorization-Rules with Network Access:ISE Host Name, but these rules don't work.
Auth rules are the following:
Network Access:ISE Host Name EQUALS ise-dc01
Network Access:ISE Host Name EQUALS ise-dc02
We have two vmISE 2.1 nodes:
ISE01 (PRI(A), SEC(M)), IP 10.1.1.1, hostname ise-dc01
ISE02 (SEC(A), PRI(M)), IP 10.1.1.2, hostname ise-dc02
PSN01 and PSN02 are personas of the corresponding ADMIN nodes, so they have the same IP addresses and hostnames as ADMIN nodes.
From ISE CLI:
hostname ise-dc01
!
ip domain-name domain.local
What can be the reason, that auth rules don't work? (if I delete Network Access:ISE Host from auth rule, CWA works fine)
Maybe because PSN doesn't have it's own hostname?
I'll appreciate your help!
11-22-2016 06:18 AM
Did you ever manage to figure this out? Have the same issue with
"Network Access:ISE Host Name EQUALS" condition not matching
12-08-2016 01:25 PM
This works for me, I have a customer using google's DNS for the guest network and we have to do it like this, for now.
Have you check so lookup is the same as for ISE hostname? Also check the live log for an authC so everything match, eg hostname of the ISE.
I use the following (ISE 2.0):
05-23-2017 12:17 AM
How can get PSN, PAN and MNT details, like model no and serial no by login in cisco ise 3395 device through GUI.
please tell me.
05-09-2019 07:43 AM
You can view the information for PAN and SAN at the bottom of the license page via GUI.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide