I'm working on a LAB for deploying an ISE sponsor guest portal with multiple WLCs 5520.
The SSID where I want to enable the guest portal, is an isolated SSID (layer2 VLAN), as it's currently used and business doesn't want guests to have access to our corporate network.
Our ISE nodes are into our corporate network.
The problem I have, is the portal is not accessible from the Guest vlan, so the users cannot reach the portal to login.
Is there a possibility to "switch" from the guest VLAN to a corporate VLAN only for reaching the guest portal, then switch back to Guest VLAN once identified ?
Or the only solution is to use access via the WAN ? I mean put a PSN node in DMZ for example ?
not sure how your network topology looks like : ( if you have FW or any routing device between, you can only allow Guest portal from Internet network or from your DC, for the IP address required)
example will guide :
@Clem58 - not sure if I understand your dilemma - but the Guest VLAN, and the ISE PSN VLAN hosting the guest portal are not the same (or should never be the same). Remember that RADIUS traffic is involved in guest auth, and this goes to the PSN. The guest will be on a guest VLAN (e.g. VLAN 100) and will always remain on that VLAN. It will get an IP (DHCP) and DNS etc. The only time that a guest communicates with ISE is during the portal authentication. And the traffic should be constrained via ACL on the switch/WLC to only allow the guest to establish connection to each PSN at TCP/8443 (TCP/8443 is the default port for a portal) - nothing else will be allowed from the client towards ISE. You can send that connection through a firewall of course.
You can switch VLANs for pre-auth and post-auth - technically it's possible via AAA override - but this never works because the end client will not be aware that the VLAN has changed, and hence, the client will not request a DHCP after the VLAN switch. Even on wired networks (with physical link detection changes) this only works in some cases.
Thanks Arne for your answer.
I will try to clarify.
I understand to have the guest portal reachable from the guest VLAN, the guest VLAN have to be able to communicate with the VLAN where is located ISE PSN, of course it's filtered by ACL on the WLC level, but that still means the guests need to have access to the portal url that is redirected.
In our case, our guest VLAN is totally isolated from others VLANs, including the one where is located our PSN. No firewall in between. The L2 VLAN IP addresses, gateway and DNS are delivered by a separate DHCP in an Internet box. So that means the guests into that VLAN can never have access to the guest portal URL. When I connect a client to the corresponding SSID that is set with the guest L2 VLAN, it gets its IP/gw/DNS successfully but cannot connect to the portal, it times out.
So the only option for my side, is for these clients, we need to have the guest portal reachable from the WAN/Internet.
I see. It's certainly doable. But in my opinion, if you prefer to expose an ISE portal to the big bad internet, then that in itself poses a larger attack surface than having the guest VLAN have IP reachability on the intranet. Having the guest portal URL in the public DNS with a public IP address means that the ISE TCP port is open to anyone worldwide (even if it's fronted by a load balancer/firewall etc.).
Most security conscious organisations will go as far as deploying a dedicated (pair of) PSN(s) in the DMZ - the IP routing between the guest VLAN and the ISE in the DMZ goes through firewalls, and the WLC applies L2 ACLs etc. It's quite a few layers of defence, with the added benefit that you'd have to be physically on the guest VLAN to pose as a potential threat to the intranet security.
I totally agree with you Arne, and the goal is at the end we have the guest vlan controlled by firewall, and all internally in terms of ISE and guest portal.
But this is something that will take time to put in place, it will be counted in year..
Managers want to have a guest portal in place, because currently we have one Guest SSID with a PSK that is shared between lots of people, and we don't have this controlled.
If we put the PSN in DMZ, we will limit the traffic only on 8443 port, and also internally we will limit the sources and the ports. That will be temporarily during the while we put firewalls everywhere. Anyway our security team will have to approve that solution.
In fact a solution could be to have one VLAN for auth and redirection to the Webportal, and another when the auth is successful I mean the VLANs switched by the WLC or ISE and also a DHCP renew will have to be done, but I don't think this kind of feature exists.