Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
882
Views
10
Helpful
7
Replies

ISE Portals

KevinR99
Level 1
Level 1

‎10-10-2022 09:00 AM

Hi

Before I start describing my issues can someone conform I can do the following.

I want to enable 2 Guest portals on ISE but host them on different interfaces.  So, for example, a sponsored portal for day to day visitors.  I want to enable that on G1 which I have assigned an IP address to and on any port, let's say 8999.  I then want to enable a second portal for trusted contractors on G2 and have them use the self registered portal.  So I put an IP address on G2 and use port 8888.  The ports are arbitrary.  I then create 2 SSIDs and point them to ISE.  Based on the Called-Station-ID I either send them to an authorization rule for the portal on G1 or the one on G2.  The users will be in the same subnet as the portal they should go to so no routing issues.  So is this a supported method?  I don't see why it wouldn't be.  

Usually I can get one portal working.  Then as soon as I try to get the second one working I get all sorts of issues with redirection failing.  Not sure if this is a valid troubleshooting step but when I go the the ISE CLI and look for ports 8999 and 8888 with "show ports" I sometimes see them attached to the wrong IP address.  Sometimes I see the port attached to the Gig0 address.  What I also noticed is when I first boot up the ISE and try to connect to a previously working portal it fails.  If I then edit the portal and simply change its port it kicks into life.

The next issue I get is when I have a portal working I usually test with Windows and Android to start with.  This works.  However, when I try an iPhone or iPad redirection doesn't kick in.  I have found a few references to issues with ISE3.1 and the Apple mini-browser but I tried workarounds such as adding some script to the optional content 2 area of the portal or by selecting Captive Portal bypass in the global parameter map of my Cat9800.  Neither seem to work.  So considering most of my Guests will be unknown devices and a great many of them will be Apple of some sort I can't roll this out until I get a stable working portal on all types of clients.

Any help would be greatly appreciated, Kev.

0 Helpful
7 Replies 7

Arne Bier
VIP
VIP

‎10-13-2022 10:39 PM

Hi Kev,

By any chance, are you running the portal on a node that is also acting as the PAN? Or is this a dedicated PSN?

0 Helpful

KevinR99
Level 1
Level 1
In response to Arne Bier

‎10-14-2022 02:23 AM

Arne

This is a standalone node I am testing on.

Thanks, Kev.

0 Helpful

poongarg
Cisco Employee
Cisco Employee
In response to KevinR99

‎10-14-2022 03:08 AM

ISE allows you to enable different interfaces that will be only used for guest users traffic.

-The guest portal redirects to FQDN and configured port. Have you configured the FQDN per ip address on the ISE.

For CWA using a particular interface, please refer this: https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/cli_ref_guide/b_ise_CLIReferenceGuide_20/Cisco_ISE_CLI_Commands_in_Configuration_Mode.html#wp5773065010

You need to configure the ip host [host alias/fqdn] command on ISE and then restart the ISE service to set the interface for CWA.

-Else try by replacing the FQDN with ip address in the browser while trying to access the portal.

-Make sure to map the correct certificate on the portal as well.

 

KevinR99
Level 1
Level 1
In response to poongarg

‎10-16-2022 03:42 AM - edited ‎10-16-2022 03:44 AM

Poongarg

Thank you for your reply.  I have done all of the suggestions in your response.  The main issue is that the portal fails to respond frequently.  Usually on 1st boot but sometimes after changing portal settings.  When I put a wired device on the same subnet and try to connect to telnet to the portal on its port the ISE rejects the connection with a tcp reset.  All I need to do to get it to work is simply change the portal port and wait a few minutes.

The Apple issue I had has been resolved with a WLC upgrade but I can't find any bug related to the code I was using.  To be honest I'm not spending more time on that.  I have a working version with redirection happening correctly on all my devices apart from occasionally needing to change the portal port. 

Kev.

0 Helpful

KelvinT
Level 1
Level 1
In response to KevinR99

‎12-08-2022 08:34 AM

Hello Kev,

Thanks for your post. 

What version your WLC was on before the upgrade and what did you upgrade to that fixed it?

Thanks again Kev.

 

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎12-10-2022 01:11 PM

@KelvinT If WLC is 9800, possibly CSCvz93375, which affecting IOS-XE 17.6.1.

KevinR99
Level 1
Level 1
In response to hslai

‎12-11-2022 01:29 AM

Thanks for that.  I was running 17.5.1 when I saw the problem and now run 17.7.1

That bug looks to be the problem.

I appreciate your input, Kev.

0 Helpful
Customers Also Viewed These Support Documents