Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1245
Views
5
Helpful
1
Replies

ISE Guest portal is not working for Guest in separate VRF

rajulpar
Cisco Employee
Cisco Employee

‎11-17-2019 01:44 AM - edited ‎11-18-2019 06:32 PM

Hello,


I'm working on a deployment where we need to redirect wireless guests to a web portal for authentication. We're using CWA - the radius server sends a url-redirect to the NAD ( Meraki AP ) , as well as the url-redirect acl that is meant to specify the traffic to be redirected.


Guest network is separate than Office network hence there are two VRFs ( Office VRF and Guest VRF ).
Guest is accessing internet via separate FW than Office network FW.

I have came up with following traffic flow based on my understanding for current setup and have configured ISE interface as below.

 

 

 

 

Eth0 – Mgmt + RADIUS interface
!
Hostname : ComISE
!
interface GigabitEthernet 0
ip address 10.18.77.141 255.255.255.0
ipv6 address autoconfig
ipv6 enable
!
!
Eth4 – Guest interface for Guest portal
!
ip host 10.81.55.141 iseguest iseguest.com.net

interface GigabitEthernet 4
ipv6 address autoconfig
ipv6 enable
ip address 10.81.55.141 255.255.255.0
no shutdown
!
ip route 10.82.152.0 255.255.255.0 gateway 10.81.55.10 à Static route to Guest Subnet
!
Issue : Guest Portal is not working from the Guest PC though PSN sends RADIUS access-accept with the redirect URL and ACL to the Meraki AP via interface eth4 . ( as per ISE log )

Flow should be as below if I am not wrong : Can you please help me to validate ?

1. Initial Request goes to Meraki AP and Meraki AP sends MAB request via office VRF on eth0 of ISE
2.ISE triggers the initial Auth_Z with redirect ACL on eth4 hence traffic flow from Guest VRF backs to NAD
3.Guest should be redirected to Guest portal ( hence Meraki AP should have reachability to guest portal which has been configured on eth4)
4.Guest uses username/password provided by sponsor
5 CoA happens with full ACL via PSN on eth0 / office VRF as guest has been identified in ISE database.

I have done trouble shoot to identify the issue :

- ISE can reach to guest subnet gateway via eth0 
- ISE can reach to Guest interface subnet gateway 

- Guest can reach to ISE on guest interface 
- I can ping Meraki ( NAD) from ISE 
 -I use Guest portal on eth0 ( office VRF ) and use office subnet as a guest subnet then guest can open the guest portal.

Do you think following should be an issue ?

Meraki AP NAD does not have reachability to guest interface eth4? Or Meraki AP is not learning routes to reach Guest portal IP
Access switch, where Meraki is connected not propagating guest interface IP (from Guest VRF ) in to office VRF where Meraki is seating ?
There should be some routing between Guest VRF and Office VRF so NAD ( Meraki AP ) can reach the guest portal ?

 

Any thought or recomondation ?

0 Helpful
1 Reply 1

Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-18-2019 10:19 AM

Meraki AP NAD does not have reachability to guest interface eth4? Or Meraki AP is not learning routes to reach Guest portal IP
Access switch, where Meraki is connected not propagating guest interface IP (from Guest VRF ) in to office VRF where Meraki is seating ?
There should be some routing between Guest VRF and Office VRF so NAD ( Meraki AP ) can reach the guest portal ?

For your scenario the guest client hanging off the meraki AP that matches the guest authz profile in ISE with the redirect acl + guest portal has to be able reach the guest portal IP address. Note that if you are trying to get there by name then your host must be able to resolve the name via your internal dns or locally via hosts file. With that said, I absolutely think that what you stated above is your issue. Good luck & HTH!
Customers Also Viewed These Support Documents