06-25-2013 01:58 PM - edited 03-10-2019 08:35 PM
Hi support community
we just implemented CWA for wireless guest access using ISE. however we have an issue, the redirect URL is a name, not an IP address, and the guest dhcp scope use public DNS servers, so CWA doesn't work unless we set the company DNS servers.
so my question... is there a way to configure ISE to send the ip address instead the name for redirection in CWA?
Many thanks in advance...
Solved! Go to Solution.
06-25-2013 08:22 PM
Hello Julio,
Till now there is no way to use name instead of IP. ISE always required IP address in URL redirection. For understanding how CWA work you can see the attached PDF.
06-26-2013 12:43 AM
Your problem is that "URL that guest enter" (ex:cisco.com,etc) only resolve by public DNS, and "Redirect URL" (name of ISE policy server) only resolve by your company DNS Server...
but i've some suggestion, use both DNS Server of your company and public DNS on DHCP server, and use some DACL to restricted guest access to company's resources/private address
or you can create a new DNS Server on that company that only can resolve ISE hostname and other public hostname...
06-25-2013 08:22 PM
06-26-2013 12:43 AM
Your problem is that "URL that guest enter" (ex:cisco.com,etc) only resolve by public DNS, and "Redirect URL" (name of ISE policy server) only resolve by your company DNS Server...
but i've some suggestion, use both DNS Server of your company and public DNS on DHCP server, and use some DACL to restricted guest access to company's resources/private address
or you can create a new DNS Server on that company that only can resolve ISE hostname and other public hostname...
06-26-2013 07:53 AM
Hi, thanks for answering...
Yes the problem is that public DNS servers obiously can't resolve ISE servers names. Additionaly the guest VLAN has an ACL blocking all the traffic destined to internal resourses with some exceptions (DHCP, DNS and ISE port for CWA).
however, guest can access to some company services, but as if they were located on internet, ie through the public ip address, so if we use internal servers, they resolve the internal ip address and connections fails. the Muhammad suggestions could be the solution for the problem....but now is something to discuss with the DNS server administrator...
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide