Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
3
Helpful
3
Replies

URL-redirected session

GioacchinoInfanti
Level 1
Level 1

‎12-30-2023 02:11 PM

Sorry for the silly question. I'm reading this article

https://www.ciscopress.com/articles/article.asp?p=2812072&seqNum=2

and I'm trying to understand the following seentence

"If a PSN goes down and orphans a URL-redirected session, one of the other PSNs in the node group sends a Change of Authorization (CoA) to the NAD so that the endpoint can restart the session establishment with a new PSN."

I know what CoA is, i.e. a client is forced to authenticate again; what I don't understand is "and orphans an URL-redirected session".  In which scenario am I supposed to see this?

TIA, Gio

** Happy 2024 to all of you! **

 

3 Replies 3

M02@rt37
VIP
VIP

‎12-30-2023 02:17 PM

Hello @GioacchinoInfanti 

orphaned URL-redirected session describes a scenario where a session that was in the process of being redirected to a URL is left in an incomplete state due to the unavailability of the PSN responsible for handling the redirection. The CoA mechanism is then used to notify the NAD and prompt the endpoint to restart the session establishment process with a new PSN.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

GioacchinoInfanti
Level 1
Level 1
In response to M02@rt37

‎12-30-2023 02:38 PM

Thanks M02@rt37 ,

I hope not to look picky or dumb. Which session are we speaking about? I would really appreciate if you could elaborate your answer. We are speaking of an PSN that, for some reasons, is not available anymore. AFAIK PSN are Policy Service Nodes and they check clients requests against policies, created through PAN/s.

I guess we are speaking of Web-portals, aren't we? Once the client has got the new URL, I guess through a 302 for the original URL it tried to reach, why the unavalability of the dead PSN would create problems?

Sorry, for the many questions

 

0 Helpful

Arne Bier
VIP
VIP

‎01-01-2024 02:16 PM

@GioacchinoInfanti - the failure scenario is a very specific scenario - imagine you have two PSNs - PSN1 and PSN2. The NAD (switch or WLC) is handling a Web Portal authentication. Remember that in the case of portals, this is a special song and dance that involves a few synchronised steps. The first step is that the NAD creates a session and sends a MAB request to the first available PSN in its aaa Group - let's say PSN1. This creates a session in ISE itself. PSN1 gets the MAB and the Authorization Results is a bunch of RADIUS attributes including the Web Portal URL for PSN1. This URL gets back to the NAD. Due to automatic internet detection mechanisms, most operating systems cause a browser to open automatically, and the user should see a web portal login page. In the case of ISE Portals, the user has 5 minutes to log into this portal (this is hard coded in ISE) before the portal login session times out (you will get a pop up in the browser to see session timed out).

Ok. So far so good. Now imagine something bad happens to PSN1 (reboot/crash/removed from load balancer pool/etc) - NAD has no idea of PSN1 failure. Client has no idea of PSN1 failure. But Because PSN2 is in the same Node Group as PSN1, the magic happens. PSN2 now becomes be session owner of this web portal session. Its first job is to "rattle" the NAD, by send it a CoA to re-auth the session, to force the NAD to accept the URL of PSN2. Once this has been done, the client might experience some weirdness on their browser (I think I did this many years ago and the client had to re-enter their login details) - but the end result is that the client can login to the portal.

 

Customers Also Viewed These Support Documents