ISE url-redirect CWA to Gig1

trevorjenix · ‎04-27-2015

Hello,

say I want to have five ISE 1.3 nodes behind load balancer, I want only only G0 behind LB, and G1 interfaces will be dedicated for certain things. Specifically I want to use G1 interface for Redirected Web Portal access (could be CWA, device registration, NSP, etc). RADIUS auth will happen through LB on G0 of some specific PSN, and that PSN will url-redirect user to the CWA URL.

How do I tell ISE to use specifically Gig1's IP address or Gig2's IP address? When I check result authorization profile, there is no option there, it's just ip:port. Obviously, that's not the right place, because which PSN is used to processed the policy is unpredictable.

So then I go to guest portal, and specifically Self-Registered Guest Portal that I'm using. So here I see Gig0, Gig1, Gig2, and Gig3 listed. My guess is that if I only leave Gig1 selected then I will achieve my goal, is that correct?

But then, why does it let me choose multiple interfaces, what happens if I select all of them?

Am I missing another spot in ISE admin where I can control this?

Additional question. I know that in ISE 1.2 you could configure "ip host" in ISE's CLI, which would force URL-redirect response to be translated to FQDN:port. Is that still the right method in ISE 1.3?

Thanks!

nspasov · ‎04-27-2015

Take a look at the following document:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13.pdf

Towards the end of the document you will find a section called: "Cisco ISE Infrastructure" and there you will see the following:

• Cisco ISE management is restricted to Gigabit Ethernet 0.

• RADIUS listens on all network interface cards (NICs).

• All NICs can be configured with IP addresses.

So, you can take an interface, give it an IP address and then assign it to the web portal that you are working with.

I hope this helps!

Thank you for rating helpful posts!

trevorjenix · ‎04-27-2015

Neno, each portal can have one or more interfaces checked in the configuration. Let's say all four of them have an IP address assigned. If I check Gig1 and Gig2 in the portal configuration, which of these interfaces will ISE RADIUS process choose for redirecting client's web browser to? I know I could test this, but I'm wondering what's the logic here, what's the point of giving capability to check more than one interface in the portal configuration?

nspasov · ‎04-28-2015

I would personally not assign more than one interface. I could see this being useful if ISE supported port-channels or redundant interfaces but ISE does not. I suppose you could IP both interfaces and have them available via DNS and have them load balance the sessions but DNS load balancing comes with its own set of issues and caveats.

Not sure if this was the answer you were looking for but that I all I have :)

Thank you for rating helpful posts!

trevorjenix · ‎04-29-2015

Unfortunately, it doesn't answer it. It's probably my fault for not asking the question correctly. Let me break it down a little:

Client connects, NAD begins RADIUS with ISE, ISE policy determines the client to go to CWA, so it sends RADIUS response with a URL-redirect. ISE decides what URL to put in the URL-redirect field. How does it decide it? How does it choose its own IP address if it has multiple interfaces enabled for CWA portal? That's what I'm trying to figure out.

Venkatesh Attuluri · ‎05-25-2015

check the following link that explains the same

https://supportforums.cisco.com/discussion/12498076/how-does-ise-choose-which-ip-put-url-redirect-response