Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
0
Helpful
3
Replies

CSCus64320 - CWA Redirect uses IP instead of FQDN for non gig0 intf for guest portal

mstraessle
Level 4
Level 4

‎09-01-2015 09:08 AM - edited ‎03-10-2019 11:01 PM

Hi Community 

I walked around this bug, but was not able to find the real reason and solution for it. The setup is like this:

=== PRIMARY HOST:

Int Gig 0 
ip addr 1.1.1.1/24

Int Gig 1
ip addr 2.2.2.2/24

FQDN: ise1-gig0.adm-abc.com

default Gateway 2.2.2.1

=== SECONDARY HOST

Int Gig 0 
ip addr 1.1.1.2/24

Int Gig 1
ip addr 2.2.2.3/24

FQDN: ise2-gig0.adm-abc.com

default Gateway 2.2.2.1

 

The sync and management traffic is using gig 0 with cert using the FQDN's. Guest Portal is active in Int gig 1 with special certificates (SAN) for FQDN on Gig1 (ise1-gig1.abc.com and is-gig1.abc.com).

DNS is resolvable for both interfaces on both host's. So why should I use the ip-host?

Fact is in this setup (ISE 1.4 with Patch3), the redirect url for CWA is always sent using the ip address instead of the FQDN, which ends up in a certificate error.

I found two workaround, but both not make me happy:

Workaournd 1:
Use static FQDN in the redirect: ise1-gig1-abc.com
This wordks good as long as PRIMARY Host is available. If primary host is down, clients are redirected into a black-hole... :-(

Workaround 2:
Use IP Addresses in the SAN field. This would probably work, but the Certificate Authority does not allow me to do so... :-(

Any suggestions, or experiences with such a use-case? Many thanks for any help or input.

 

 

1 person had this problem
Labels:
0 Helpful
3 Replies 3

jan.nielsen
Level 7
Level 7

‎09-01-2015 09:25 AM

In workaround 1, you can create two authz rules for your redirect instead of just one, with different fqdn's in the authz result, one for each ise server. Then use the condition for the two different ise server names, which will be filled with either the primary or secondary, depending on which one received the radius request from your wireless controller.

0 Helpful

mstraessle
Level 4
Level 4
In response to jan.nielsen

‎09-01-2015 01:34 PM

Hi Jan

This is a great idea. I will try next week and give feedback if it worked like this. But I think yes. Anyhow, it is still a workaround. What is the correct solution, if there is any?

 

0 Helpful

jan.nielsen
Level 7
Level 7
In response to mstraessle

‎09-01-2015 01:52 PM

I'm not sure if there is an actual solution, if it's a bug then obviously the solution is for Cisco to fix it, in older versions of ise (pre-1.3) i did this with no problems, at one customer, so it has not always been like in 1.4, which might give credit to the bug theory. One thing i was thinking about. but I can't remember if there is an "interface" select menu for different ports, like there was in 1.2, if there is maybe that is how ISE gets confused as to which interface you want to use for guest.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents