Solved: Re: ISE 2.4 Sponsor Guest Portal and multiple PSNs - Failover

Clem58 · ‎05-03-2022

Hello,

I'm working on deploying a Sponsor Guest portal on our ISE 2.4.

We have 2 admin nodes and 4 psn nodes.

I'm planning to install a certificate with a common FQDN, for each PSN, only for portals, example: sponsorguest.local.eu

On our WLCs, we have an ACL for the 1st PSN, and on the WLAN radius config we have the 4 PSNs entered.

On ISE we have an authorisation profile CWA that is pointing to the Sponsored Guest Portal, and using WLC ACL, and using static IP/Host name/FQDN sponsorguest.local.eu

Other settings are configured correctly, and the sponsor guest portal is currently working good.

My question is, will the failover work with that config, in case we lost the 1st PSN, or do I need to ?

Add ACLs to the others PSN in the WLC ?
Add other configuration in ISE ?

Many thanks by advance for your help.

girish_gavandi · ‎05-03-2022

Hi Clem,

For Sponsor Portal, the configuration you have is sufficient. I thought you are trying to add HA for guest portal!

However, look for possibility of putting the PSNs behind load balancer. You will get around the certificate warnings if any and also have HA for sponsor portal.

Regards,

Girish

View solution in original post

girish_gavandi · ‎05-03-2022

Dear Clem58,

You need to update your CWA ACL in WLC to reflect other PSN IP addresses. (Similar to first PSN node)

Add remaining PSN ip address to WLC (AAA) radius authorization and accounting servers.

In the WLC SSID Radius dropdown, select the other PSN nodes.

In ISE, create authorization profile for the rest of the PSN nodes.

Call them in the policy rules.

This way when the first PSN is down, WLC will send request to the next PSN node.

Hope this helps.

Clem58 · ‎05-03-2022

Thanks for your help Girish.

About this statement : "In ISE, create authorization profile for the rest of the PSN nodes"

I'm using the FQDN in the static config, so basically I don't have to add the others PSNs ? Or do you mean I need to add every PSNs nodes hostname here and not the Portal FQDN ?

Furthermore in DNS this FQDN is bound to the 1st PSN IP address, do we need to do also anything in DNS, or ISE will redirect requests to other PSNs when the 1st one is down ?

girish_gavandi · ‎05-03-2022

Hi Clem,

For Sponsor Portal, the configuration you have is sufficient. I thought you are trying to add HA for guest portal!

However, look for possibility of putting the PSNs behind load balancer. You will get around the certificate warnings if any and also have HA for sponsor portal.

Regards,

Girish

Ramakrishnan V · ‎01-17-2023

Hi Girish,

I am working on similar ISE failover solution.
As I am planning to host ISE on Azure.

For guest and sponsor portal failover, my understanding is though portal page & auth role is holding by ISE, WLC should forward (actually redirect) the traffic when guest hits browsing? To arrive a solution for ISE (guest/sponsor) portal high availability, If I go for native Azure LB, how and where should I configure in WLC? LB VIP address?[currently on-prem dont think they have ha for guest/sponsor portal].

Besides there is limitation to perform health probe on TACACS ports by native lb, hence we can not use lb for nw device authentication. So for that we need to do manual promotion?

girish_gavandi · ‎02-11-2023

Hi Ramakrishnan,

Apologies for the delayed response. Hope by now you must have figured out that the LB VIP is to be configured in the WLC for auth redirection.

Optionally you can put the PSN in a node group if they are located in the same DC. This will help in session replication between the PSNs and to avoid failures.

Regards,

Girish