Solved: ISE guest redirect

shaikh.zaid22 · ‎07-04-2022

Hi,

I am implementing Guest wireless nw via Cisco ISE, wherein am utilizing the sponsor page registration for the Guest users.

Now my question is for the Portal certificate can i use an ip based certificate instead of Fqdn ? Since i do not want the fqdn to get resolved via our internal DNS server. Instead using an ip based certificate which gets redirected on Guests Users mobiles/Pcs.

Thanks

shaikh.zaid22 · ‎07-08-2022

Hi,

at last we solved the redirect issue, by configuring a DNS doctoring( Translate DNS replies in AUTO NAT in FTD).

This way we published the fqdn with a public ip on public dns and internally via Auto Nat and ACL we controlled the traffic.

hence the guest resolves the fqdn through public dns and when the traffic comes back to the FTD fw, Auto Nat transplate the DNS replies to the ISE guest ip add.

View solution in original post

Mohammed al Baqari · ‎07-05-2022

Hi,

You can use FQDN in the CN and IP address in SAN names. This way you are
covered.

***** please remember to rate useful posts

shaikh.zaid22 · ‎07-05-2022

Thanks Mohammed for the reply.

DO you mean while generating the CSR. The fqdn will be under CN and ip address wil be under SAN ?

Mohammed al Baqari · ‎07-05-2022

Yes that is correct.

**** please remember to rate useful posts

Aref Alsouqi · ‎07-05-2022

One thing important to keep in mind when it comes to the sponsor portal is that there is a redirection that would happen in the background to the admin portal before the session is redirected to the sponsor portal. Essentially, you will be presented by two certificates, the first will be the admin certificate, and the second will be the sponsor portal certificate. This means that the sponsor portal FQDN and the IP address details should be added to the admin certificate, as well as to the sponsor portal certificate.

Mohammed al Baqari · ‎07-05-2022

Hi Aref,

I don't think this is needed if you hit the sponsor portal directly. I will
be grateful, if you can share a doc for this as it's new to me.

**** please remember to rate useful posts

Aref Alsouqi · ‎07-05-2022

Hi Mohammed, unfortunately I don't have any Cisco doc at handy on this, but I ran into this issue personally before I learned this behaviour and I could prove it by doing the sessions inspections where I could actually see the admin certificate presented before the sponsor portal certificate is presented.

Aref Alsouqi · ‎07-05-2022

Doing a quick search online I found this Mohammed, it is kinda talking about same behaviour:

Cisco Bug: CSCut16630 - ISE : https to sponsor portal using Admin cert not sponsor cert

shaikh.zaid22 · ‎07-08-2022

Hi,

at last we solved the redirect issue, by configuring a DNS doctoring( Translate DNS replies in AUTO NAT in FTD).

This way we published the fqdn with a public ip on public dns and internally via Auto Nat and ACL we controlled the traffic.

hence the guest resolves the fqdn through public dns and when the traffic comes back to the FTD fw, Auto Nat transplate the DNS replies to the ISE guest ip add.