Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1002
Views
0
Helpful
2
Replies

ISE Guest deployment

Knutsen2004
Level 1
Level 1

‎02-12-2015 12:29 AM - edited ‎03-10-2019 10:26 PM

Hi 
Im setting up a ISE (1.3) in distributed deployment with a primary and secondary node.

Both nodes are running admin and PSN role.

The 2 nodes are up and running and synchronised, and now i want to set up a CWA guest solution.

 

So my question is:

In case I need to do a failover to the secondary node how do we need to do the DNS registration of the portal url ? 
 

Do I have to have a uniqe url for each ISE or do I need to set up the DNS pointing to both of the ip addresses that is set up on the interface of the ise that is used for the guest portal.

And also a seperate public cert on each ISE pointing to the CN ?

Hope my question was understandable :)

Labels:
0 Helpful
2 Replies 2

Mark Massheder
Level 1
Level 1

‎02-12-2015 02:51 AM

Hi Knutsen2004,

Please have a look at the following discussion which may be of help here:-

https://supportforums.cisco.com/discussion/12398846/need-suggestion-ise-distributed-deployment-model-two-different-data-centers

Thanks

Mark

0 Helpful

Justin bollinger
Level 1
Level 1

‎03-23-2015 11:10 AM

Redundancy for the sponsor portal falls into two categories.  With load-balancers and without load-balancers.  In both two node environments and and more than two nodes the design is the same.

 

With network loadbalancers you simply create a VIP for port 8443 and use the PSNs as member servers.  Then simply configure the DNS hostname that is configured in the sponsor portal to the VIP.  

The other options are DNS based.  You can simply have two A records for the sponsor.example.com and DNS will naturally round robin between the records.   The last option is to use a DNS load-balancer to accomplish the same task as the round robin, but with more control over which record is used when. 

 

As for the cert the recommendation for using loadbalancers is to have a shared cert on all of your PSNs.  the cert should contain both the FQDN of the sponsor portal and the hostnames of all of your PSNs if you are planning on using the same cert for EAP and not just HTTPS.

 

 

Here is the documentation on how to use F5 Big IP load-balancers 

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP.pdf

 

0 Helpful
Customers Also Viewed These Support Documents