07-13-2017 12:58 AM
Hi All,
I have a customer that upon successful guest authentication redirects the guest user to the public site of the company, i.e. www.company.com. The site itself integrates content from other company servers, i.e. server-a.company.com.
It is a distributed deployment with "internal" PSNs running the sponsor portal on their eth0 interface and "external" PSNs running the guest portal on their eth1 interface.
The issue we see is that the internal/sponsor PSNs seem to constantly try to connect to the server-a.company.com url. Is there any form of external url checking or caching happening when an external URL is used in the authentication success setting for the guest portal?
ISE is on 2.2 patch 1, interface bonding is disabled.
Kind Regards,
Panos
Solved! Go to Solution.
07-13-2017 09:34 AM
AFAIK ISE PSNs would not have done that.
If you are able to recreate this in your lab, I can take a look. Otherwise, please engage Cisco TAC.
07-13-2017 09:34 AM
AFAIK ISE PSNs would not have done that.
If you are able to recreate this in your lab, I can take a look. Otherwise, please engage Cisco TAC.
07-13-2017 11:25 PM
I thought so too. Unfortunately I can't recreate this in my test environment, so I will engage TAC.
Thank you!
07-13-2017 10:14 AM
You first need to define the Sponsor URL and make sure that maps to a specific PSN, AnyCast address, VIP, or leverage intelligent DNS for global LB of a web page. That IP needs to resolve to specific ISE interface where that portal is configured. A given portal cannot be assigned to a specific PSN unless you configured portal for interface which is not enabled on a set of PSNs. Make sure DNS resolves to correct interfaces and attempt to access portal will translate to proper URL/port.
Also, custom URL redirects must be defined using Advanced Attribute with Cisco-AV-Pair. It cannot be defined using Common Task via Web Redirection.
07-13-2017 11:27 PM
This part is clear and configured. I refer to the custom url you can set in the guest portal under the "successful authentication" setting.
07-14-2017 05:33 AM
Okay. I think is a misunderstanding of terms and what the end goal is. I will briefly outline some of those options and you can confirm your specific scenario.
You did cite Guest Success, so I think I diverged thinking issue was specific to #1 or #2 above. More specific to #3 use case, I would make sure that client is resolved to proper IP on the final landing page per the configured FQDN. Another case which I have found can be problematic is the ACL applied to connection. There is a transition from restricted communication with the PSN and then directive to connect to external server. It may be a timing issue where you get the redirect at client, but authorization has not been processed by the access switch/controller. In this case, if new policy to allow access to external site has not yet been granted, that may cause client access to external page to be redirected based on original authorization.
One way to troubleshoot would be to monitor the client session policy on switch/NAD when the redirect occurs. If new access policy is not in place, then client may get redirected before being granted access. To confirm, if redirected back to original guest login page, 1) verify access policy on NAD and 2) try to manually navigate to the external page to see if it properly displays.
Fixing a race condition may be difficult. TAC may be able to help, but make sure DNS is rock solid. Also, you could consider adding access to the landing page in the initial redirect policy. If users are likely to set that as their home page, and thus bypass initial redirection, you could create a unique FQDN for the landing page which is allowed using DNS ACL. The actual web page could then be configured to redirect the unique FQDN to the common redirect page (to avoid users from bookmarking unique URL). Hope that makes sense.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide