Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6208
Views
1
Helpful
8
Replies

ISE 2.1 -Multiple PSNs with CWA Guest without load balancer?

Go to solution
joshhunter
Level 4
Level 4

‎06-24-2016 06:36 AM

Hello,

Session Information is not synced between PSNs right? So a session must remain on the same PSN?

If you have two PSNs with no load balancer as part of the Wireless CWA the ISE Authorization Policy result you can only point to a single PSN i.e. guestwireless.company.com. The DNS the Guest resolves must also only resolve to that PSN so it is the PSN that serves the client the Portal Page - otherwise you will get session expired errors.

If the PSN fails the WLC should attempt to use the secondary PSN as per RADIUS list on WLC. However user intervention is skill required as the customer will have to manually go in and tweak the Policy result to the secondary PSN i.e.  guestwireless2.company.com and DNS for secondary PSN - again to point to the secondary PSN right?

2 Accepted Solutions

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to joshhunter

‎06-24-2016 01:42 PM

The issue is that you are setting a static target and not allowing dynamic redirection to occur.  This issue is not direclty related to lack of load balancer as you will have other challenges in getting LB to persist HTTP/S traffic to same server which handled the RADIUS session for same client.  It is doable, but more complex.

For this case, you will need to configure separate authorization policy rules and authorization profiles. Each profile will point to specific PSN using unique FQDNs.  The policy rule can then set condition IF ISE Server = PSN1, then AuthZ Profile = CWA-PSN1, and so on.  The PSN portal certificate would need to have all FQDNs in the certificate SAN or else use wildcard certs to avoid cert warnings on client.  The same FQDN cannot be used by all PSNs as ultimately you require DNS resolution to a real IP address, and this must be deterministic to point to the correct PSN.  However, you could then have something like secure1.public.com, secure2.public.com.

If end goal is to use a specific FQDN, then I would recommend using dynamic URL and interface aliases ('ip host' command on the portal interface) to set the desired FQDN instead of adding complexity through static assignment.

View solution in original post

0 Helpful

Go to solution
jaime.pedraza
Level 1
Level 1
In response to jaime.pedraza

‎08-09-2018 09:02 AM

I've just found the answer. The correct parameter is Network Access: ISE Host Name, located on the Address Library. I was looking for it on the Server Library, that was my mistake. 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Craig Hyps
Level 10
Level 10

‎06-24-2016 01:26 PM

CWA does not require you to specify the guest portal URL.  With CWA the endpoint is redirected directly to the owning PSN. It sounds like you are referring to Local Web Auth (LWA) whereby you configure the FQDN of the portal on the WLC.  Recommend using CWA instead to avoid limitations with LWA.  If absolutely must use LWA and cannot use LB, then one option is to have an intelligent DNS server respond based on server availability or else use Anycast where secondary interfaces on the PSNs are configured with same IP address.  If used, then routing from client to specific target IP should always be the same for the session.  This can be accomplished using deterministic routing or IP tracking.

/Craig

0 Helpful

Go to solution
joshhunter
Level 4
Level 4
In response to Craig Hyps

‎06-24-2016 01:30 PM

Hi Craig, It is CWA, thanks

180860-CWA_REDIRECT.GIF

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to joshhunter

‎06-24-2016 01:42 PM

The issue is that you are setting a static target and not allowing dynamic redirection to occur.  This issue is not direclty related to lack of load balancer as you will have other challenges in getting LB to persist HTTP/S traffic to same server which handled the RADIUS session for same client.  It is doable, but more complex.

For this case, you will need to configure separate authorization policy rules and authorization profiles. Each profile will point to specific PSN using unique FQDNs.  The policy rule can then set condition IF ISE Server = PSN1, then AuthZ Profile = CWA-PSN1, and so on.  The PSN portal certificate would need to have all FQDNs in the certificate SAN or else use wildcard certs to avoid cert warnings on client.  The same FQDN cannot be used by all PSNs as ultimately you require DNS resolution to a real IP address, and this must be deterministic to point to the correct PSN.  However, you could then have something like secure1.public.com, secure2.public.com.

If end goal is to use a specific FQDN, then I would recommend using dynamic URL and interface aliases ('ip host' command on the portal interface) to set the desired FQDN instead of adding complexity through static assignment.

0 Helpful

Go to solution
joshhunter
Level 4
Level 4
In response to Craig Hyps

‎06-29-2016 06:06 AM

Thanks Chyps, we are using a Wildcard and will use secure1.public.com and secure2.public.com as you suggested mapped to the correct DNS resolutions.

Did have it as dynamic and IP Host but I had problems in past with no redirecting properly - see

ISE 2.0.1 - Guest CWA not redirecting to correct URL

Will have a look at configuring separate policies.

Thanks

0 Helpful

Go to solution
jaime.pedraza
Level 1
Level 1
In response to Craig Hyps

‎08-09-2018 08:47 AM

Hi Craig, 

 

I have an scenario where is not possible to use aliases. Which attribute is possible to use for the creation of a rule identifying the ISE node? I have tried already with Network Access: Radius Server, but it doesn't seem to work (using contains: part of the ise node name). Any help would be very much appreciated.

 

Regards,

 

James

0 Helpful

Go to solution
jaime.pedraza
Level 1
Level 1
In response to jaime.pedraza

‎08-09-2018 09:02 AM

I've just found the answer. The correct parameter is Network Access: ISE Host Name, located on the Address Library. I was looking for it on the Server Library, that was my mistake. 

0 Helpful

Go to solution
cisco2020
Level 1
Level 1
In response to Craig Hyps

‎04-03-2019 10:33 PM

Hi All,

 

If I need to generate a certificate for the guest portal for two psn's where I am not using a load balancer but rather the static ip/hostname option, where psn1 is guest1.company.com and psn2 is guest2.company.com, would the cert look something like this:

 

CN: guest.company.com

SAN: DNS - guest1.company.com, DNS - guest2.company.com

 

 

0 Helpful

Go to solution
x00008037
Level 1
Level 1
In response to Craig Hyps

‎05-07-2019 12:52 AM

Hello Craig,

 

"This issue is not direclty related to lack of load balancer as you will have other challenges in getting LB to persist HTTP/S traffic to same server which handled the RADIUS session for same client"

 

Sorry for renewing an old post but i see this comment and i am having a very similar issue. Do you know how we could achieve this?

The reason being the client wants to have a guest.domain.com point to a load balancer vip with public certificate.

Any help is appreciated.

 

cheers

HG

 

 

0 Helpful
Customers Also Viewed These Support Documents