Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1826
Views
0
Helpful
8
Replies

Radius proxy for guest

Go to solution
jdal
Cisco Employee
Cisco Employee

‎07-25-2018 10:16 AM

Hi,

 

My customer has two ISE clusters. The first one is dedicated to wifi guest access while the second one is handling wired 802.1x for corporate users.

 

They would like to provide guest access to their wired users. They are thinking of using RADIUS proxy for that. The web portal would still be hosted on their "guest cluster" and "corporate wired users" would simply be redirected to that cluster.

 

I've done some research but I haven't seen any clear statement if that was supported or even supposed to work. Could someone confirm if this is supposed to work and provide some pointers?

 

An alternative would be to host the guest portal on the corporate cluster and use the "guest cluster" as an external database. This would avoid managing guest account at two different location but would require to duplicate the web portal, not ideal...

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to jdal

‎07-26-2018 04:06 AM

Ok right. You can’t have one radius server hosting wired dot1x and another handling MAB for guest CWA. The ISE server servicing the wired side would also need to host the portal since we rely on radius session for the control plane.

So the solutions are
Option 1 you are going with:
wired deployment CWA would have to call the guest database in other deployment via RADIUS token
1 database of guest
Portal for wired
Portal for wireless
Enhancement request (reach out to the ISE product managers) requirement to export guest portal settings and customization from one deployment to import on another

Option 2:
Or have 1 deployment servicing it all

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-25-2018 10:23 AM

You can point the guest portal on one system to the other using RADIUS token server as an external identity source
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01110.html#task_D0680D3739BF4663858342896759A10A
0 Helpful

Go to solution
jdal
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎07-25-2018 10:31 AM

Yes, this was the alternative I was mentioning. Should I deduce we wouldn't support RADIUS proxy in this case?
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-25-2018 10:24 AM

Why wouldn't you just setup the wired deployment to use its on portal and database? It sounds like wired users would be logging into the CWA portal with their internal credentials?
0 Helpful

Go to solution
jdal
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎07-25-2018 10:30 AM

They are planning on heavily customising the portal. What you propose means duplicated work (and duplicated guest database).
In this case, they also want to provide wired access to genuine guest (contractors).
A contractor should be able to use both the wifi and wired infra with the same credential...
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to jdal

‎07-25-2018 10:45 AM

Seems like complicating things having 2 separate deployments then? Or maybe its for security?

The proper way to point is using RADIUS token. What does RADIUS proxy give you, not sure why i understand the difference as a problem?
0 Helpful

Go to solution
jdal
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎07-26-2018 02:25 AM

The two different deployments is simply due to administrative reason. They have one team managing wifi and another one for wired... There is no way we will manage to push a single deployment in their case!

 

What I was hoping to achieve with RADIUS proxy is to redirect wired guest users to the web portal hosted on the wifi cluster. That way, they would only have to maintain the portal in a single cluster. Since that doesn't seem to be possible, I'll propose the alternative.

 

Thx

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to jdal

‎07-26-2018 04:06 AM

Ok right. You can’t have one radius server hosting wired dot1x and another handling MAB for guest CWA. The ISE server servicing the wired side would also need to host the portal since we rely on radius session for the control plane.

So the solutions are
Option 1 you are going with:
wired deployment CWA would have to call the guest database in other deployment via RADIUS token
1 database of guest
Portal for wired
Portal for wireless
Enhancement request (reach out to the ISE product managers) requirement to export guest portal settings and customization from one deployment to import on another

Option 2:
Or have 1 deployment servicing it all
0 Helpful

Go to solution
jdal
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎07-26-2018 04:28 AM

Thanks for confirming, that's what I've already communicated to the customer.

 

I knew the sessionId could be the issue but I was not sure where it would be generated. I thought we could simply proxy the MAB request from the wired cluster to the guest cluster that would then generate a sessionId as well and return the corresponding redirect URL.

0 Helpful
Customers Also Viewed These Support Documents