Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1713
Views
5
Helpful
3
Replies

ISE Guest Anchor controller DMZ Configuration

Go to solution
jack@powersutra.com
Level 1
Level 1

‎08-29-2018 12:51 PM

I was looking a design where there is a foreign controller and a anchor controller in the DMZ. 

I am unclear on the some of the specifics for such a setup. 

There is a PSN in the DMZ (single homed) for guest hotspot/self registration and there are PSNs inside of the firewall and also PAN/MNT etc.

Questions: 

1) On the foreign controller, the auth/accouting is set to go to the internal PSN

2) should the Anchor controller have auth/accounting setup to go to the DMZ PSN or inside PSN? or does it matter ? 

3) I heard only one of the PSNs needs accounting, so should accounting only be enabled for anchor

controller ? 

4) Is it best practice to put the guest vlan different from the DMZ PSN vlan and then have a ACL that only allow connection to 8443 on the PSN in DMZ for guest ? 

 

It would be great to have a full working sample of such a configuration. 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to jack@powersutra.com

‎08-29-2018 02:15 PM

The RADIUS authentication and the guest portal traffic need to arrive at the same PSN. The redirect link contains the RADIUS session ID that only the PSN the authenticated the MAB session will know about.


View solution in original post

3 Replies 3

Go to solution
paul
Level 10
Level 10

‎08-29-2018 01:23 PM

On the foreign controller you need to point auth/accounting to the guest PSN in the DMZ.  Poke holes in the FW to allow UDP 1812/1813 to that PSN.  On the anchor controller only auth should be sent to the guest PSN.  Do not send accounting information.

 

I usually put the guest PSN on a different DMZ.  You will need to allow the guest subnet to talk 8443 (or whatever port you use for the guest portal).  The guest PSN will need to be allowed to join the deployment, but does not need to join AD.

0 Helpful

Go to solution
jack@powersutra.com
Level 1
Level 1
In response to paul

‎08-29-2018 01:36 PM

thx Paul . just wondering if pointing the foreign controller to the guest PSN is mandatory ? as guest PSN and internal PSN are just the same, and in a distributed environment, I thought any PSN can process a auth/accounting request ? 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to jack@powersutra.com

‎08-29-2018 02:15 PM

The RADIUS authentication and the guest portal traffic need to arrive at the same PSN. The redirect link contains the RADIUS session ID that only the PSN the authenticated the MAB session will know about.


Customers Also Viewed These Support Documents