Solved: Load balanced Hotspot portal in a distributed environment

EdouardZorrilla0939 · ‎08-25-2022

Greetings,

Could you advise how to create the Authorization Policy for a hotspot portal in a distributed environment with 2x PSN.

Our 802.1x network works pretty well, but I am having problems provisioning the hotspot portal for guest people.

Guest endpoint would see Hotspot as guest.company.com (public address) which loads balance to ise01.corp.company.com and ise02.corp.company.com (private addresses).

Any insight will be appreciated.

Edouard.

Arne Bier · ‎08-25-2022

Hi @EdouardZorrilla0939

The challenge with ISE and Guest Portals is that the PSN (Policy Node) which gets chosen by the WLC/Switch as the AAA server, must return a URL that contains that PSN's FQDN so that the client device can establish a TCP connection back to the Guest Portal on that PSN. I think in principle it should work, that if the WLC/Switch has the ability to select servers in a round-robin manner from a RADIUS Server Group, then you could achieve a load balancing effect during the MAB stage. Guest Portal authentications are MAB requests that either cause ISE to Allow the user (apply ACL for Internet) or to redirect the user to a Portal (apply redirect ACL and return redirect URL to point back to that same PSN).

I have never tried IOS/IOS-XE RADIUS load balancing feature (it does exist) and I would strongly urge that you test all scenarios. I don't know if load balancing would work on EAP based authentications because you really need to send the entire conversation to the same PSN (and EAP conversations contain many messages).

As for having a single guest.company.com - that's never going to happen unless you have a dedicated load balancer to which your WLC/Switches send all RADIUS requests. That load balancer must be smart enough to know which client is talking to which PSN - because when guest.company.com points to the load balancer, it then needs to re-build that TCP connection to the correct PSN that handled the MAB request. With two PSNs, this is usually not worth it. Think about it - the client makes a DNS request for guest.company.com and the PC/client has to get an IP address back to start building the TCP connection - there can be only one choice - load balancer. And the load balancer must then do the right thing.

View solution in original post

Arne Bier · ‎08-25-2022

Hi @EdouardZorrilla0939

The challenge with ISE and Guest Portals is that the PSN (Policy Node) which gets chosen by the WLC/Switch as the AAA server, must return a URL that contains that PSN's FQDN so that the client device can establish a TCP connection back to the Guest Portal on that PSN. I think in principle it should work, that if the WLC/Switch has the ability to select servers in a round-robin manner from a RADIUS Server Group, then you could achieve a load balancing effect during the MAB stage. Guest Portal authentications are MAB requests that either cause ISE to Allow the user (apply ACL for Internet) or to redirect the user to a Portal (apply redirect ACL and return redirect URL to point back to that same PSN).

I have never tried IOS/IOS-XE RADIUS load balancing feature (it does exist) and I would strongly urge that you test all scenarios. I don't know if load balancing would work on EAP based authentications because you really need to send the entire conversation to the same PSN (and EAP conversations contain many messages).

As for having a single guest.company.com - that's never going to happen unless you have a dedicated load balancer to which your WLC/Switches send all RADIUS requests. That load balancer must be smart enough to know which client is talking to which PSN - because when guest.company.com points to the load balancer, it then needs to re-build that TCP connection to the correct PSN that handled the MAB request. With two PSNs, this is usually not worth it. Think about it - the client makes a DNS request for guest.company.com and the PC/client has to get an IP address back to start building the TCP connection - there can be only one choice - load balancer. And the load balancer must then do the right thing.