Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
946
Views
0
Helpful
3
Replies

ISE DNS Question For Guest Users

Dan Man
Level 1
Level 1

‎06-12-2014 07:41 AM - edited ‎03-10-2019 09:47 PM

Before I ask the question, let me explain our environment.

We have an internal 5508 controller.  We also have a 5508 DMZ controller that acts as an anchor controller.  Guest traffic is piped to the DMZ controller which provides the DHCP address, and DNS server information.  The DNS that we provide is our ISP provider DNS server information, to our guest wireless users.  There's no need to provide them with our internal DNS server information, since they're only going to the internet.

Here's my dilema.  We are now implementing the ISE appliances so that we can better control our guest users.  Currently, our guest SSID is wide open.  With the ISE, we're going to initially only do self-registration for guest users.  They will connect to our broadcasted SSID, when they connect to it, they will be presented with the guest portal.  There will be a link that allows them to go to a self-registration page.  The dilema is that the ISE appliances are a part of our internal 10.x.x.x network.  Since the guest users will have our ISP's DNS servers, our ISE devices will not be able to be found for the redirection to the portal.

Would anyone have any suggestions on this?  I don't want to advertise our internal DNS servers to guest users.  Thanks for any help!

 

 

Labels:
0 Helpful
3 Replies 3

Dan Man
Level 1
Level 1

‎06-12-2014 09:59 AM

Thanks for any help!

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎06-18-2014 05:56 AM

check

https://supportforums.cisco.com/discussion/11744496/pb-reach-ise-guest-portal-due-dns-constraints

https://supportforums.cisco.com/discussion/12024986/cisco-ise-guest-portal-dns-issue-external-zone

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎06-20-2014 12:08 AM

I haven't tried this before but ISE does actually allow you to assign physical ports to the Guest HTTP portal. You can see this under Administration > Web Portal Management > General > Ports. Perhaps you can:

1. Take a physical port from your appliance and connect it to the DMZ

3. Give it an IP address that is resolvable from the public DNS server

3. Assign that physical port only to the guest HTTP service

 

On the other hand, you could also build a DNS server just for the guest users and stick in the DMZ :)

Not sure if this helps but just some food for thought.

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
0 Helpful
Customers Also Viewed These Support Documents