Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2551
Views
0
Helpful
5
Replies

Static FQDN for portal with F5

Go to solution
Fabio885
Level 1
Level 1

‎08-19-2021 08:28 AM

 Hi to everyone,

 

my question is simple. Is it possible to do without problem assign to a guest-portal a static fqdn that point to the VIP F5 address? In order to balance the load trought F5? between two PSN.

(behind this F5 we have all PSN that provide the portal page)

 

thank you

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to Fabio885

‎08-21-2021 03:42 AM - edited ‎08-21-2021 03:44 AM

From my standpoint, this is a guest access, meaning that it will happen only for guest users. It also means that it will happen only upon initial connection, so it is not like users are connected all the time to this guest portal. If you want to achieve load-balancing, you could achieve it via WiFi setup, instructing WLC to use all configured AAA servers for this SSID, which should effectivelly achive te same - WLC would send requests to both PSNs. PSNs would then reply, each with their own FQDN.

You could also look into imeplementing 'sleeping clients' approach, so that you actually cache some users, for certain perion, and not to prompt them for authentication, each time they step away from WiFi.

Placing ISE behind LB is not same like placing standard Web server behind LB. Reason for that is that LB can't just overwrite IP header, but it needs to modify the RADIUS content as well. This is why that guide is relevant, if you still want to proceed with it. For me personally, it looks like too much effort, without actually gaining much.

BR,

Milos

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-19-2021 01:49 PM

Hi @Fabio885,

Yes, it is possible to assign static IP or FQDN as part of authorization profile on ISE.

However, placing ISE behind load-balancer is not that straight forward, and it must not be done as on standard Web servers. Please take a look at this design guide, in order to understand how ISE can be placed behind LB for RADIUS service.

If I may ask, what is your driver for doing this for Guest portal? What are you looking to achieve with this?

BR,

Milos

0 Helpful

Go to solution
Fabio885
Level 1
Level 1
In response to Milos_Jovanovic

‎08-20-2021 05:41 AM

Thank you for replying.

 

Sorry, what do you mean with "driver"?

 

btw i need to investigate on "400Bad request". 

 

0 Helpful

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to Fabio885

‎08-20-2021 06:45 AM

Why do you want to place Guest portal behind LB?

BR,

Milos

0 Helpful

Go to solution
Fabio885
Level 1
Level 1
In response to Milos_Jovanovic

‎08-20-2021 06:58 AM

We need a LB because we have 2 psn for site. Are sites many populated with multiple office and we want to balance the load.

0 Helpful

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to Fabio885

‎08-21-2021 03:42 AM - edited ‎08-21-2021 03:44 AM

From my standpoint, this is a guest access, meaning that it will happen only for guest users. It also means that it will happen only upon initial connection, so it is not like users are connected all the time to this guest portal. If you want to achieve load-balancing, you could achieve it via WiFi setup, instructing WLC to use all configured AAA servers for this SSID, which should effectivelly achive te same - WLC would send requests to both PSNs. PSNs would then reply, each with their own FQDN.

You could also look into imeplementing 'sleeping clients' approach, so that you actually cache some users, for certain perion, and not to prompt them for authentication, each time they step away from WiFi.

Placing ISE behind LB is not same like placing standard Web server behind LB. Reason for that is that LB can't just overwrite IP header, but it needs to modify the RADIUS content as well. This is why that guide is relevant, if you still want to proceed with it. For me personally, it looks like too much effort, without actually gaining much.

BR,

Milos

0 Helpful
Customers Also Viewed These Support Documents