Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
808
Views
0
Helpful
2
Replies

ISE and its certificates + redundancy

Go to solution
Maciej Waliszko
Level 1
Level 1

‎02-26-2020 12:01 AM

Hello,

Let's say that I have a distributed deployment (PAN/MNT (a/s), PAN/MNT (s/a), 2x PSNs).

My question and the concern I have is related to portal redirection for byod and guest scenarios.

From what I have read to have a redundancy for the guest portal while having 2 PSNs more or less it is required to have two rules:

1)

if network access ISE hostname equals psn1 then use authorization profile byodportal1

if network access ISE hostname equals psn2 then use authorization profile byodportal2

2)

FQDN for psn1: byodportal1.mydomain.local

FQDN for psn2: byodportal2.mydomain.local

To sum up:

- 2 rules

- diffrent url for each PSN (and in a consequence certificate assigned for PSNs should contain 2 entries in SAN)

The above is true for guest portal.

The same seems to also be true for byod portal (single SSID flow scenario).

However different type of redudnancy is for sponsor or mydevices portal -> DNS round robin (two DNS A records pointing to the same name for two different IPs of PSNs).

What's the reason behind that? Why there is a difference here?

What about other portal types? Let's say certificate provisioning portal for BYOD?

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎02-26-2020 02:17 AM

Hi @Maciej Waliszko 

 

the reason for the AuthZ Profile rules for Guest and BYOD Portal is due to the fact that we program the Policy Set in the Admin node and the same programming is sent to each PSN that has Services was enabled. When the code runs, each PSN executes the same steps. You have to make the PSN “self aware” to allow the correct URL to be returned for the PSN that received the MAB request. As for the Sponsor Portal, there is no MAB involved, hence this is a pure DNS discussion. The user does the DNS resolution of the portal and the DNS system returns the IP address(es) of that FQDN. The client decides which IP(s) to use to build the TCP connection to the portal. Hope that helps?

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎02-26-2020 02:17 AM

Hi @Maciej Waliszko 

 

the reason for the AuthZ Profile rules for Guest and BYOD Portal is due to the fact that we program the Policy Set in the Admin node and the same programming is sent to each PSN that has Services was enabled. When the code runs, each PSN executes the same steps. You have to make the PSN “self aware” to allow the correct URL to be returned for the PSN that received the MAB request. As for the Sponsor Portal, there is no MAB involved, hence this is a pure DNS discussion. The user does the DNS resolution of the portal and the DNS system returns the IP address(es) of that FQDN. The client decides which IP(s) to use to build the TCP connection to the portal. Hope that helps?

0 Helpful

Go to solution
Maciej Waliszko
Level 1
Level 1
In response to Arne Bier

‎02-26-2020 02:31 AM - edited ‎02-26-2020 02:32 AM

Hello Arne,

What you wrote make sense. Thank you.

0 Helpful
Customers Also Viewed These Support Documents