10-01-2018 03:06 PM
I have two ISEs. Primary PAN, Secondary Mnt, Active PSN on ISE01 (192.168.1.10). Secondary PAN, Primary Mnt, Active PSN on ISE02 (192.168.1.20).
I have setup BYOD but for the my devices portal I can only set the FQDN under the Portal Settings. For this example its mydevices.test.com
All this works OK as I have DNS resolving mydevices.test.com to 192.168.1.10. But how do I make this work for the second ISE node? The FQDN has to be mydevices.test.com. I don't have any loadbalancers.
I can get the CWA for BYOD to work on both ISEs by using two seperate authz profiles and identifying the request based on the source ISE. The authz profile for BYOD redirect has the option to set static FQDN which can be used in a rule and modified to suit the ISE. So ISE1 has byod1,test.com and ISE2 has byod2.test.com. The authz rules match the source ISE and apply the corresponding BYOD CWA.
But I can't see how to do this for the mydevices portal. I thought of just using two DNS records pointing to the same FQDN but don't think that is the correct way to do it.
Any help on this one?
Solved! Go to Solution.
10-02-2018 10:37 AM
Just do the URL override in the portal redirection. Setup two DNS names, byodportal1.mycompany.com and byodportal2.mycompany.com, and assign map them to each PSN. Then build two redirect authorization profiles, one that uses byodportal1 and one that uses byodportal2. Finally build your policy set rules:
if network access ISE hostname equals psn1 then use authorization profile byodportal1
if network access ISE hostname equals psn2 then use authorization profile byodportal2
If you are talking about the MyDevices portal outside of the BYOD flow then you can just map the FQDN to both PSN IPs and let DNS figure it out.
10-01-2018 03:30 PM
10-02-2018 01:31 AM - edited 10-02-2018 01:32 AM
Hi, sorry but I don't understand part of your answer. You say:
"Why are you statically assigning this? ISE takes care of that for you by resolving the psn your authenticated to automatically"
I'm assuming you mean the URL that gets applied during the BYOD redirect? If I leave it default without specifying a manual FQDN then it will return the hostname of the authenticating ISE but I don't want that, I want byod1.test.com or byod2.test.com not the hostname, hence why I set the manual URL on the redirect authz profile. If I have this setup completely wrong then i'm open to suggestions.
As for mydevices portal if DNS round robin is the way then i'll give that a go but the link you posted is for ISE 1.2 and i'm using ISE 2.4. I don't see the same recommendations for mydevices portal in the 2.4 user guides. Is this still valid?
10-02-2018 03:26 AM
10-02-2018 03:53 AM
Yes I know the PSN hostname is the norm but it's a customer requirement that the hostname is not shown in the URL. That is why it has to be a unique BYOD FQDN.
Thanks for the help.
10-02-2018 04:42 AM
10-02-2018 06:06 AM - edited 10-02-2018 06:07 AM
No concern. They have stipulated that the URL shouldn't show the hostname. I've suggested the standard way but they insist doing without the hostname.
10-02-2018 10:37 AM
Just do the URL override in the portal redirection. Setup two DNS names, byodportal1.mycompany.com and byodportal2.mycompany.com, and assign map them to each PSN. Then build two redirect authorization profiles, one that uses byodportal1 and one that uses byodportal2. Finally build your policy set rules:
if network access ISE hostname equals psn1 then use authorization profile byodportal1
if network access ISE hostname equals psn2 then use authorization profile byodportal2
If you are talking about the MyDevices portal outside of the BYOD flow then you can just map the FQDN to both PSN IPs and let DNS figure it out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide