cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5313
Views
0
Helpful
6
Replies

ISE 2.4 CWA Guest portal redirection on distributed deployment

walwar
Level 1
Level 1

Hi guys,

 

We're using two ISE Prim/Seco and I am trying to configure wired guest portal on eth1 (I know if I use port eth0 ISE will choose its hostname i.e ise1.example.com/ise2.example.com) the redirection works as long as it's not using any fqdn. I tried to configure to use static ip/fqdn in authorization profile but that didn't work. so I tried the ip host as following and this didn't work either. In both cases the client doesn't redirect but when I change the fqdn to ip in the browser it works just fine. 

 

ip host 10.1.1.190 guests guests.exammple.com
ip host 10.1.1.191 guests guests.exammple.com


In my previous setup (2.3) with one ISE it worked fine to use a static fqdn in the authorization profile and client were redirected correctly.

 

Any help or hint would be very much appreciated!

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

If this is something working in a previous release then should be working through tac

 

Did you use this?
 

why can’t you use dynamic redirection

 

 

View solution in original post

6 Replies 6

Jason Kunst
Cisco Employee
Cisco Employee

If this is something working in a previous release then should be working through tac

 

Did you use this?
 

why can’t you use dynamic redirection

 

 

In previous version I used only ONE ise and this setup that I am trying to configure CWA is a distributed deployment so there is difference. 

Did you mean the IP address in URL of Gig1 or Gig0 works?  In your portal config did you put a tick against Gig1 interface?  Stupid question - just checking ..

Could it be that the client is somehow not resolving the DNS entry for that FQDN?  e.g. I had cases where I was testing something specific and I had to hard code my etc\hosts file for a while. 

Other than that I can't think why this wouldn't work. Does adding an IP host command require application restart (or reboot)?

Jason, the link you provided worked like a dream, and happy it solved my problem, though when those authorizations rules are active all clients are hitting the guest rule and all are redirected to guest portal even the domain pc which they shouldn't but that is another problem and nothing have to do with this thread, therefore I'll mark it as solved.

 

@Arne Bier, yes, the gig 1 interface is ticked otherwise the traffic will go through gig 0 which we do not want to. Unfortunately the ip host restarts the application. It feels like I am doing something wrong but not sure what... I guess that is a learning curve as well. :)

Glad to here perhaps you can match your GUEST SSID or WLAN ID as well in those authorization rules. Like in this article https://www.network-node.com/blog/2017/10/7/ise-23-new-policy-sets

It's for my wired guests not wireless.

Well my VLAN ID was already in the authorization rules I created for both of my ISE and honestly I think that was what made all users, PC, etc to be redirected to the urls. And now I can't test as those are in production now. I will definitely test it the next maintenance window and update here.

 

Thanks though for taking the time and helping out, much appreciated!