11-12-2018 03:16 AM - edited 03-11-2019 01:51 AM
Hi guys,
We're using two ISE Prim/Seco and I am trying to configure wired guest portal on eth1 (I know if I use port eth0 ISE will choose its hostname i.e ise1.example.com/ise2.example.com) the redirection works as long as it's not using any fqdn. I tried to configure to use static ip/fqdn in authorization profile but that didn't work. so I tried the ip host as following and this didn't work either. In both cases the client doesn't redirect but when I change the fqdn to ip in the browser it works just fine.
ip host 10.1.1.190 guests guests.exammple.com ip host 10.1.1.191 guests guests.exammple.com
In my previous setup (2.3) with one ISE it worked fine to use a static fqdn in the authorization profile and client were redirected correctly.
Any help or hint would be very much appreciated!
Solved! Go to Solution.
11-12-2018 04:22 AM - edited 11-12-2018 04:28 AM
If this is something working in a previous release then should be working through tac
why can’t you use dynamic redirection
11-12-2018 04:22 AM - edited 11-12-2018 04:28 AM
If this is something working in a previous release then should be working through tac
why can’t you use dynamic redirection
11-12-2018 04:27 AM
In previous version I used only ONE ise and this setup that I am trying to configure CWA is a distributed deployment so there is difference.
11-13-2018 02:24 AM
Did you mean the IP address in URL of Gig1 or Gig0 works? In your portal config did you put a tick against Gig1 interface? Stupid question - just checking ..
Could it be that the client is somehow not resolving the DNS entry for that FQDN? e.g. I had cases where I was testing something specific and I had to hard code my etc\hosts file for a while.
Other than that I can't think why this wouldn't work. Does adding an IP host command require application restart (or reboot)?
11-14-2018 01:17 AM - edited 11-14-2018 01:18 AM
Jason, the link you provided worked like a dream, and happy it solved my problem, though when those authorizations rules are active all clients are hitting the guest rule and all are redirected to guest portal even the domain pc which they shouldn't but that is another problem and nothing have to do with this thread, therefore I'll mark it as solved.
@Arne Bier, yes, the gig 1 interface is ticked otherwise the traffic will go through gig 0 which we do not want to. Unfortunately the ip host restarts the application. It feels like I am doing something wrong but not sure what... I guess that is a learning curve as well. :)
11-14-2018 07:07 AM
11-15-2018 12:13 AM
It's for my wired guests not wireless.
Well my VLAN ID was already in the authorization rules I created for both of my ISE and honestly I think that was what made all users, PC, etc to be redirected to the urls. And now I can't test as those are in production now. I will definitely test it the next maintenance window and update here.
Thanks though for taking the time and helping out, much appreciated!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide