Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1077
Views
6
Helpful
5
Replies

Sponsor portal FQDN

Go to solution
KevinR99
Level 1
Level 1

‎01-05-2023 07:15 AM

Hi

I have a guest wireless solution where clients that authenticate to any one of 2 ISE's in a deployment get redirected to the same ISE for the Guest portal but on different URLs.

So for ISE-1 I put a host entry on its CLI pointing to guest-1-mycompany.com and on ISE-2 I have a host entry for guest-2.mycompany.com.

This works well.  Whichever ISE I hit sends the FQDN related to its CLI host entry.  Also, when one ISE fails my WLC sends all requests to the surviving one and the host entry redirects to the correct FQDN.

I am testing single click sponsored access.  When both ISE's are up the Approve link sends me to the URL defined in the Sponsor portal settings and customization area which is, for example, sponsor.mycompany.com but this only seems to be related to the Primary ISE.  When I register via the secondary ise it sends me to its IP address.mycompany.com

What I really want is clients that registered through ISE-1 and are redirected to ISE-1's Guest portal result in their sponsor getting a specific FQDD for that ISE and ones that go through ISE-2 get a different FQDN going to ISE-2's sponsor portal.  My problem is that when the primary fails there doesn't seem to be anywhere to define a FQDN for the secondary sponsor portal in the same way as I can define the secondary ISE's Guest portal with a host command.

What is the accepted way to deal with single click sponsors in a distributed environment?

Thanks for any input as usual, Kev.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
KevinR99
Level 1
Level 1
In response to Arne Bier

‎01-17-2023 02:10 AM

Arne

I managed to set this up as I wanted.  I can copy the default sponsor portal and create two new ones.  One to be used for ISE-1 and one for ISE-2.  I then define a FQDN for each one pointing to the appropriate IP address.

I then setup a sponsored guest portal for each ISE and within the portal I can define what sponsor portal to use.  So I define the sponsor portal with the FQDN that will point to the same ISE.   In the policy sets I match on the ISE hit and apply an Authorization profile that returns the sponsored portal for the same ISE.  So if my WLC hits ISE-1 my authorization profile points me to the sponsored guest portal on ISE-1 and that points to the sponsor portal on ISE-1.  When the Guest registers the email that is sent out has an approve/deny link what points to the correct FQDN so I get directed to the sponsor portal on the same ISE.  This works a treat.  If I point my WLC directly at either ISE the appropriate sponsored guest and sponsor portal FQDN's are returned and I just need to ensure my DNS points to the correct ISE address.  I successfully register guests via the correct ISE and the approve/deny also goes to the correct ISE.  I still need to test what happens if a guest has been approved and they come back in when the ISE they were approved on has failed.  I suspect their credentials will have been replicated across ISE's but I will test that.

Thanks, Kev.

View solution in original post

5 Replies 5

Go to solution
Arne Bier
VIP
VIP

‎01-10-2023 04:01 PM

I have not touched ISE Guest stuff in a while and I might be wrong here - but when the Primary Admin node is down, and you have a secondary Admin node, then the Guest Sponsor system is temporarily broken, because the primary guest database is handled by an ACTIVE Admin node. The resolution is to promote the Secondary Admin to Primary. In addition, after the promotion has been done, the Sponsor Portal's DNS entry must then be changed to point to the IP address of the Secondary Admin Node.

Therefore, Sponsor Portal HA is not a thing. There are steps involved to make Sponsor Portal highly available.

 

Go to solution
KevinR99
Level 1
Level 1
In response to Arne Bier

‎01-17-2023 02:10 AM

Arne

I managed to set this up as I wanted.  I can copy the default sponsor portal and create two new ones.  One to be used for ISE-1 and one for ISE-2.  I then define a FQDN for each one pointing to the appropriate IP address.

I then setup a sponsored guest portal for each ISE and within the portal I can define what sponsor portal to use.  So I define the sponsor portal with the FQDN that will point to the same ISE.   In the policy sets I match on the ISE hit and apply an Authorization profile that returns the sponsored portal for the same ISE.  So if my WLC hits ISE-1 my authorization profile points me to the sponsored guest portal on ISE-1 and that points to the sponsor portal on ISE-1.  When the Guest registers the email that is sent out has an approve/deny link what points to the correct FQDN so I get directed to the sponsor portal on the same ISE.  This works a treat.  If I point my WLC directly at either ISE the appropriate sponsored guest and sponsor portal FQDN's are returned and I just need to ensure my DNS points to the correct ISE address.  I successfully register guests via the correct ISE and the approve/deny also goes to the correct ISE.  I still need to test what happens if a guest has been approved and they come back in when the ISE they were approved on has failed.  I suspect their credentials will have been replicated across ISE's but I will test that.

Thanks, Kev.

Go to solution
Massimo Baschieri
Level 3
Level 3
In response to KevinR99

‎01-17-2023 09:32 PM

@KevinR99 that sound interesting, can you please post some screenshots about that?

0 Helpful

Go to solution
KevinR99
Level 1
Level 1
In response to Massimo Baschieri

‎01-18-2023 01:27 AM

Unfortunately I no longer have access to those ISE's and the rules/portal names/FQDN's would need heavily redacted if I was able to provide screenshots.

  1. Setup 2 identical sponsor portals.  In the portal setup use different FQDN's for each one
  2. Setup 2 identical sponsored guest portals.  Point one to sponsor portal 1 and the other to sponsor portal 2.
  3. Setup 2 authorization results.  One points to sponsored guest portal 1 and returns an FQDN for it.  One points to sponsored guest portal 2 with a different FQDN.
  4. Setup your DNS to point each FQDN to the appropriate ISE.
  5. Create authorization policies that include a match on the ISE that's hit.  If your radius request hits  ISE-1 use the authorization rule that returns that portal. If your radius request hits ISE-2 send that portal back.
  6. DNS now handles what IP address to hit based on the FQDN in the returned Authorization result.  The sponsored guest portal is told to use a sponsor portal with a specific FQDN.  Your DNS points to the appropriate ISE IP and you are directed to that sponsor portal.  The approve link then goes to the correct sponsor portal.

Hopefully that description is enough without the screenshots.

Kev.

0 Helpful

Go to solution
Massimo Baschieri
Level 3
Level 3
In response to KevinR99

‎01-18-2023 09:52 PM

Thanks for sharing, I'll give it a try

0 Helpful
Customers Also Viewed These Support Documents