06-27-2019 04:44 AM
Hello All,
We are facing the issue with Guest portal redirection and authentication with Chrome Browser.
At the time of installation we kept the domain name for AD is ad.xyz.local.
But once we click on Guest SSID we are getting "gstatic error" and portal window doesn't come up.
To overcome on this issue, Cisco TAC suggessted us to use Trusted Public CA certificate.
But certificate provider doesn't provide the public CA Certificate for .local domain.
Our client uses WLC 5520 with version 8.8.111 and ISE 2.4.0.357 Patch 4 and does't want to downgrade.
What could be the possible solution on this issue, so that we can get the successful redirection and authentication on GuestPortal Window.
Changing domain name from xyz.local to xyz.ac.in (as per client request) will disturb the whole setup. As our AD domain xyz.local sync with other resources too.
Can ISE with multiple domain will resolve this Guest Portal issue? if yes how can we achieve this? so that we can get *.xyz.ac.in certs signed by Trusted Public CA and hence we can achieve our target.
Pls suggest the solution.
Thanks & Regards,
Prashant
Solved! Go to Solution.
06-27-2019 08:00 AM
AD domain and portal URL domain are not the same thing. You can have ISE looking at AD with .local suffix and guest portal certificate with .com suffix and not upset much. The only config you'd need to change is the static redirection option in the Authz profile that sends the redirect URL.
DNS resolution is the only thing you need to really worry about, but you can easily create a pinpoint zone on your DNS server for the hostname you assign to the guest portal so resolution for everything else is untouched.
Also, the domain you configure on ISE in the CLI doesn't affect AD integration either. You can have the ISE CLI configured with domain1.local and the AD connector looking at domain2.local with no issues. Remember, ISE can join multiple AD domains, but you can only configure one domain name in the ISE CLI. This means you could relatively-safely change the ISE CLI domain name to suit your guest portal and the AD connector wouldn't be affected. Again, DNS would need to be able to resolve correctly but pinpoint zones are your answer there too.
06-27-2019 08:00 AM
AD domain and portal URL domain are not the same thing. You can have ISE looking at AD with .local suffix and guest portal certificate with .com suffix and not upset much. The only config you'd need to change is the static redirection option in the Authz profile that sends the redirect URL.
DNS resolution is the only thing you need to really worry about, but you can easily create a pinpoint zone on your DNS server for the hostname you assign to the guest portal so resolution for everything else is untouched.
Also, the domain you configure on ISE in the CLI doesn't affect AD integration either. You can have the ISE CLI configured with domain1.local and the AD connector looking at domain2.local with no issues. Remember, ISE can join multiple AD domains, but you can only configure one domain name in the ISE CLI. This means you could relatively-safely change the ISE CLI domain name to suit your guest portal and the AD connector wouldn't be affected. Again, DNS would need to be able to resolve correctly but pinpoint zones are your answer there too.
06-28-2019 09:19 PM
Hello Craig,
Thanks for your suggestion and valuable time.
I have some doubts regarding pinpoint zone.
Thanks & Regards,
Prashant
07-01-2019 09:53 PM
That should work fine. Ideally, split the DNS resolutions; e.g. use DNS views (see Understanding views in BIND 9, by example) or use different DNS servers for the guest users.
Below some previous discussions might help, as well:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide