Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2320
Views
10
Helpful
7
Replies

my devices portal FQDN DNS resolution

Go to solution
firestartest
Level 1
Level 1

‎10-01-2018 03:06 PM

I have two ISEs. Primary PAN, Secondary Mnt, Active PSN on ISE01 (192.168.1.10). Secondary PAN, Primary Mnt, Active PSN on ISE02 (192.168.1.20).

 

I have setup BYOD but for the my devices portal I can only set the FQDN under the Portal Settings. For this example its mydevices.test.com

 

All this works OK as I have DNS resolving mydevices.test.com to 192.168.1.10. But how do I make this work for the second ISE node? The FQDN has to be mydevices.test.com. I don't have any loadbalancers.

 

I can get the CWA for BYOD to work on both ISEs by using two seperate authz profiles and identifying the request based on the source ISE. The authz profile for BYOD redirect has the option to set static FQDN which can be used in a rule and modified to suit the ISE. So ISE1 has byod1,test.com and ISE2 has byod2.test.com. The authz rules match the source ISE and apply the corresponding BYOD CWA.

 

But I can't see how to do this for the mydevices portal. I thought of just using two DNS records pointing to the same FQDN but don't think that is the correct way to do it.

 

Any help on this one?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to firestartest

‎10-02-2018 10:37 AM

Just do the URL override in the portal redirection.  Setup two DNS names, byodportal1.mycompany.com and byodportal2.mycompany.com, and assign map them to each PSN.  Then build two redirect authorization profiles, one that uses byodportal1 and one that uses byodportal2.  Finally build your policy set rules:

 

if network access ISE hostname equals psn1 then use authorization profile byodportal1

if network access ISE hostname equals psn2 then use authorization profile byodportal2

 

If you are talking about the MyDevices portal outside of the BYOD flow then you can just map the FQDN to both PSN IPs and let DNS figure it out.

View solution in original post

7 Replies 7

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-01-2018 03:30 PM

My devices portal has nothing to do with the byod nsp redirect. Why are you statically assigning this? ISE takes care of that for you by resolving the psn your authenticated to automatically

For the my devices easy url FQDN yes you set a dns record with both IP addresses in it

https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_webportals.html#pgfId-1000833

0 Helpful

Go to solution
firestartest
Level 1
Level 1
In response to Jason Kunst

‎10-02-2018 01:31 AM - edited ‎10-02-2018 01:32 AM

Hi, sorry but I don't understand part of your answer. You say:

"Why are you statically assigning this? ISE takes care of that for you by resolving the psn your authenticated to automatically"

I'm assuming you mean the URL that gets applied during the BYOD redirect? If I leave it default without specifying a manual FQDN then it will return the hostname of the authenticating ISE but I don't want that, I want byod1.test.com or byod2.test.com not the hostname, hence why I set the manual URL on the redirect authz profile. If I have this setup completely wrong then i'm open to suggestions.

As for mydevices portal if DNS round robin is the way then i'll give that a go but the link you posted is for ISE 1.2 and i'm using ISE 2.4. I don't see the same recommendations for mydevices portal in the 2.4 user guides. Is this still valid?


0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to firestartest

‎10-02-2018 03:26 AM

For the byod flow it’s not necessary to do what you did. I don’t understand why you have a problem automatically returning the psn hostname of the server the device authenticated to? It should then redirect to same. What you’re doing is not necessary please read the byod guide


https://community.cisco.com/t5/security-documents/cisco-ise-byod-deployment-guide/ta-p/3641867

Also the dns recommendations are still the same

Go to solution
firestartest
Level 1
Level 1
In response to Jason Kunst

‎10-02-2018 03:53 AM

Yes I know the PSN hostname is the norm but it's a customer requirement that the hostname is not shown in the URL. That is why it has to be a unique BYOD FQDN.

 

Thanks for the help.

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to firestartest

‎10-02-2018 04:42 AM

Ok what’s their concern?
0 Helpful

Go to solution
firestartest
Level 1
Level 1
In response to Jason Kunst

‎10-02-2018 06:06 AM - edited ‎10-02-2018 06:07 AM

No concern. They have stipulated that the URL shouldn't show the hostname. I've suggested the standard way but they insist doing without the hostname.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to firestartest

‎10-02-2018 10:37 AM

Just do the URL override in the portal redirection.  Setup two DNS names, byodportal1.mycompany.com and byodportal2.mycompany.com, and assign map them to each PSN.  Then build two redirect authorization profiles, one that uses byodportal1 and one that uses byodportal2.  Finally build your policy set rules:

 

if network access ISE hostname equals psn1 then use authorization profile byodportal1

if network access ISE hostname equals psn2 then use authorization profile byodportal2

 

If you are talking about the MyDevices portal outside of the BYOD flow then you can just map the FQDN to both PSN IPs and let DNS figure it out.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents