01-20-2020 12:36 AM
Solved! Go to Solution.
01-20-2020 01:26 PM
There are some options here depending on whether you're talking about Wired or Wireless Guest, where the NADs (switches/WLCs) are located, etc.
NAT is not supported for the RADIUS traffic from the NADs to the WLCs, but NAT should not affect traffic from the client subnet to the PSN as long as the routing is there and the clients can resolve the PSNs via DNS.
You could also look at distributed PSNs at the remote sites (if the sites have local AD/DNS services) or using dual interfaces on the PSNs in the DC with one interface connected to a DMZ or other external zone for user-facing portals.
I would suggest having a look at the Load Balancing RADIUS and Load Balancing Web Services section in the following CiscoLive session reference deck to understand the flows better. You will likely need to map out your end to end flows in detail to understand them step-by-step and identify any issues.
Cisco Live 2018 Orlando: Designing ISE for Scale & High Availability - BRKSEC-3699
Cheers,
Greg
01-20-2020 02:58 AM
01-20-2020 01:26 PM
There are some options here depending on whether you're talking about Wired or Wireless Guest, where the NADs (switches/WLCs) are located, etc.
NAT is not supported for the RADIUS traffic from the NADs to the WLCs, but NAT should not affect traffic from the client subnet to the PSN as long as the routing is there and the clients can resolve the PSNs via DNS.
You could also look at distributed PSNs at the remote sites (if the sites have local AD/DNS services) or using dual interfaces on the PSNs in the DC with one interface connected to a DMZ or other external zone for user-facing portals.
I would suggest having a look at the Load Balancing RADIUS and Load Balancing Web Services section in the following CiscoLive session reference deck to understand the flows better. You will likely need to map out your end to end flows in detail to understand them step-by-step and identify any issues.
Cisco Live 2018 Orlando: Designing ISE for Scale & High Availability - BRKSEC-3699
Cheers,
Greg
01-20-2020 10:11 PM
01-21-2020 04:21 AM
Correct, you will need an Anchor WLC that would sit behind your firewall in a DMZ. The problem with the mobility tunnels over your WAN is that they can impact WAN utilization and the additional hardware and setup cost of the Anchor WLC.
Another option to consider is to use a routable "onboarding subnet" for each site. This VLAN will allow Guests to get access only to the ISE sponsored guest portal, once authenticated successfully the ISE can but the client back into your existing non-routeable Guest VLAN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide