Cisco Community
English
Register
Congratulate December's Spotlight Awardees. CLICK HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2155
Views
5
Helpful
4
Replies
Highlighted
janvelgado_16
Beginner
Beginner
‎10-03-2018 10:09 AM
‎10-03-2018 10:09 AM

ISE Guest portal FQDN pointing to 2 IP Address

Hello,

 

Have anyone tried setting up a guest portal FQDN mapped into two different IP address in which these two IP address corresponds to the IP address of PSN nodes?

 

Let's say for example

PSN1: 1.1.1.1

HOSTNAME: psn1ise.company.com

 

PSN2: 1.1.1.2

HOSTNAME: psn2ise.company.com

 

Guest portal uses fqdn:port policy

ex. FQDN: guest.company.com

 

nslookup guest.company.com shows both the IP address of PSN 1 and PSN 2.

 

same guest cert installed on both psn1 and psn2. 

 

I have found this guide https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117620-configure-ISE-00.html but it will need new cert, new fqdn and additional alias.

 

Hoping to hear from you ISE masters. Thank you. 

 

JAN

0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Jason Kunst
Cisco Employee
Cisco Employee
‎10-03-2018 10:15 AM
‎10-03-2018 10:15 AM

Correct that’s the way you do it. Yes you will need to change cert so the client trusts it.

View solution in original post

0 Helpful
Reply
4 REPLIES 4
Highlighted
Jason Kunst
Cisco Employee
Cisco Employee
‎10-03-2018 10:15 AM
‎10-03-2018 10:15 AM

Correct that’s the way you do it. Yes you will need to change cert so the client trusts it.

View solution in original post

0 Helpful
Reply
Highlighted
x00008037
Beginner
Beginner
In response to Jason Kunst
‎05-08-2019 06:35 AM
‎05-08-2019 06:35 AM

How would this work if the client is redirected to the guest portal.cwa, As the client https request needs to land on the same psn the radius request landed on.? How would you hide the psn fqdn in the redirect url?

0 Helpful
Reply
Highlighted
Jason Kunst
Cisco Employee
Cisco Employee
In response to x00008037
‎05-10-2019 04:47 AM
‎05-10-2019 04:47 AM

You can’t hide the host it’s communicating to. Would recommend a certificate with a wildcard in the San

More information available under admin guide for certificates
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0110.html#concept_8B6D9760C14344EC972B2DD81876328B
Reply
Highlighted
Massimo Baschieri
Participant
Participant
‎10-03-2018 09:31 PM
‎10-03-2018 09:31 PM

If you do not want to re issue certificates and you have spare public ip addresses you can also nat 1:1 the ise guest ip addresses and let dns doctoring do the trick.

You need however to register an A record for each ise on your public dns server.

It also works registering A records on your public dns server pointing to the real (internal) ip addresses of ise guest interfaces, this permits you to save public addresses.

This way, however, securitywise guys could argue that you are disclosing internal resources.

0 Helpful
Reply
Latest Contents
SSL Certificate on ASA - Missing something?
Created by machine23 on 01-16-2021 11:15 AM
2
0
2
0
Hello All ,  I have added an SSL cert for the ASA - ciscoasa.ladderbar.com (195.36.189.55) and applied the certificate on the SSL settings on the ASA so when users use anyconnect using the DNS name (ciscoasa.ladderbar.com) it works good and no r... view more
#CiscoChat Live: Accelerating your security maturation journ...
Created by Kelli Glass on 01-15-2021 04:48 PM
0
0
0
0
Join us live on Tuesday, January 19 at 10:00 am PT (and on demand after) as we discuss the latest version of ATT&CK and the expansion of TTPs in v8.  As a security expert, you are tasked with protecting your environment. You see the value of... view more
#CiscoChat Live: Accelerating your security maturation journ...
Created by Kelli Glass on 01-15-2021 04:46 PM
0
0
0
0
Join us live on Tuesday, January 19 at 10:00 am PT (and on demand after) as we discuss the latest version of ATT&CK and the expansion of TTPs in v8.  As a security expert, you are tasked with protecting your environment. You see the value of... view more
What's New for Cisco Defense Orchestrator (CDO)
Created by Andrew Mallio on 01-15-2021 06:09 AM
1
40
1
40
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.  We make improvement... view more
Serious problem with Object Groups + Access Policies in FMC
Created by mhmservice on 01-15-2021 04:31 AM
0
0
0
0
Hi allI've been having a major problem with Object Groups in FMC access policiesIf I have a pre-existing line in a policy with an Object Group which contains a list of IPs, if I add an additional IP to that object group, then deploy, the traffic is still ... view more
Content for Community-Ad