Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3578
Views
0
Helpful
3
Replies

ISE Guest Portal Redirection issue with Chrome Browser..

Go to solution
prashantk
Level 1
Level 1

‎06-27-2019 04:44 AM


Hello All,

We are facing the issue with Guest portal redirection and authentication with Chrome Browser.

At the time of installation we kept the domain name for AD is ad.xyz.local.

 

But once we click on Guest SSID we are getting "gstatic error" and portal window doesn't come up.

 

To overcome on this issue, Cisco TAC suggessted us to use Trusted Public CA certificate.

 

But certificate provider doesn't provide the public CA Certificate for .local domain.

 

Our client uses WLC 5520 with version 8.8.111 and ISE 2.4.0.357 Patch 4 and does't want to downgrade.

 

What could be the possible solution on this issue, so that we can get the successful redirection and authentication on GuestPortal Window.

 

Changing domain name from xyz.local to xyz.ac.in (as per client request) will disturb the whole setup. As our AD domain xyz.local sync with other resources too.

 

Can ISE with multiple domain will resolve this Guest Portal issue? if yes how can we achieve this? so that we can get *.xyz.ac.in certs signed by Trusted Public CA and hence we can achieve our target.

 

Pls suggest the solution.


Thanks & Regards,

Prashant

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
craig.beck
Level 1
Level 1

‎06-27-2019 08:00 AM

AD domain and portal URL domain are not the same thing. You can have ISE looking at AD with .local suffix and guest portal certificate with .com suffix and not upset much. The only config you'd need to change is the static redirection option in the Authz profile that sends the redirect URL.

 

DNS resolution is the only thing you need to really worry about, but you can easily create a pinpoint zone on your DNS server for the hostname you assign to the guest portal so resolution for everything else is untouched.

 

Also, the domain you configure on ISE in the CLI doesn't affect AD integration either. You can have the ISE CLI configured with domain1.local and the AD connector looking at domain2.local with no issues. Remember, ISE can join multiple AD domains, but you can only configure one domain name in the ISE CLI. This means you could relatively-safely change the ISE CLI domain name to suit your guest portal and the AD connector wouldn't be affected. Again, DNS would need to be able to resolve correctly but pinpoint zones are your answer there too.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
craig.beck
Level 1
Level 1

‎06-27-2019 08:00 AM

AD domain and portal URL domain are not the same thing. You can have ISE looking at AD with .local suffix and guest portal certificate with .com suffix and not upset much. The only config you'd need to change is the static redirection option in the Authz profile that sends the redirect URL.

 

DNS resolution is the only thing you need to really worry about, but you can easily create a pinpoint zone on your DNS server for the hostname you assign to the guest portal so resolution for everything else is untouched.

 

Also, the domain you configure on ISE in the CLI doesn't affect AD integration either. You can have the ISE CLI configured with domain1.local and the AD connector looking at domain2.local with no issues. Remember, ISE can join multiple AD domains, but you can only configure one domain name in the ISE CLI. This means you could relatively-safely change the ISE CLI domain name to suit your guest portal and the AD connector wouldn't be affected. Again, DNS would need to be able to resolve correctly but pinpoint zones are your answer there too.

0 Helpful

Go to solution
prashantk
Level 1
Level 1
In response to craig.beck

‎06-28-2019 09:19 PM

Hello Craig,

Thanks for your suggestion and valuable time.

I have some doubts regarding pinpoint zone.

  • Our primary domain name is “xyz.local” assigning to the IP A.B.C.D.
  • If I created the pinpoint zone under DNS >> Forward lookup >> Name of zone “ise.xyz.ac.in” assigning the IP same as “xyz.local” which is A.B.C.D.
  • ISE Side under web redirection for CWA, we have kept under static IP/Host Name/FQDN – “A.B.C.D”.
  • We have installed the public CA Certs for ise.xyz.ac.in for Guest Portal only and tag it with “XYZPortal” which is assigned to our Self Registered Guest Portal. Save.
  • Will this accept my Public CA certs in this redirection scenario??
  • Will this impact the current AD USER with ISE? because we have the same IP for both “xyz.local” (Root Domain) and “ise.xyz.ac.in” (Pinpoint zone domain).
  • Kindly verify my sequence of configuration, and pls let me know, if I need to change configuration in either side.

 

Thanks & Regards,

Prashant

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to prashantk

‎07-01-2019 09:53 PM

That should work fine. Ideally, split the DNS resolutions; e.g. use DNS views (see Understanding views in BIND 9, by example) or use different DNS servers for the guest users.

Below some previous discussions might help, as well:

 

0 Helpful
Customers Also Viewed These Support Documents