Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2802
Views
0
Helpful
3
Replies

Guest access with CWA on ISE

Go to solution
Julio Coral Orbes
Level 1
Level 1

‎06-25-2013 01:58 PM - edited ‎03-10-2019 08:35 PM

Hi support community

we just implemented CWA for wireless guest access using ISE. however we have an issue, the redirect URL is a name, not an IP address, and the guest dhcp scope use public DNS servers, so CWA doesn't work unless we set the company DNS servers.

so my question... is there a way to configure ISE to send the ip address instead the name for redirection in CWA?

Many thanks in advance...

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Ravi Singh
Level 7
Level 7

‎06-25-2013 08:22 PM

Hello Julio,

Till now there is no way to use name instead of IP. ISE always required IP address in URL redirection. For understanding how CWA work you can see the attached PDF.

View solution in original post

Preview file
7331 KB
0 Helpful

Go to solution
myanuary
Level 1
Level 1

‎06-26-2013 12:43 AM

Your problem is that "URL that guest enter" (ex:cisco.com,etc) only resolve by public DNS, and "Redirect URL" (name of ISE policy server) only resolve by your company DNS Server...

but i've some suggestion, use both DNS Server of your company and public DNS on DHCP server, and use some DACL to restricted guest access to company's resources/private address

or you can create a new DNS Server on that company that only can resolve ISE hostname and other public hostname...

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Ravi Singh
Level 7
Level 7

‎06-25-2013 08:22 PM

Hello Julio,

Till now there is no way to use name instead of IP. ISE always required IP address in URL redirection. For understanding how CWA work you can see the attached PDF.

Preview file
7331 KB
0 Helpful

Go to solution
myanuary
Level 1
Level 1

‎06-26-2013 12:43 AM

Your problem is that "URL that guest enter" (ex:cisco.com,etc) only resolve by public DNS, and "Redirect URL" (name of ISE policy server) only resolve by your company DNS Server...

but i've some suggestion, use both DNS Server of your company and public DNS on DHCP server, and use some DACL to restricted guest access to company's resources/private address

or you can create a new DNS Server on that company that only can resolve ISE hostname and other public hostname...

0 Helpful

Go to solution
Julio Coral Orbes
Level 1
Level 1
In response to myanuary

‎06-26-2013 07:53 AM

Hi, thanks for answering...

Yes the problem is that public DNS servers obiously can't resolve ISE servers names. Additionaly the guest VLAN has an ACL blocking all the traffic destined to internal resourses with some exceptions (DHCP, DNS and ISE port for CWA).

however, guest can access to some company services, but as if they were located on internet, ie through the public ip address, so if we use internal servers, they resolve the internal ip address and connections fails. the Muhammad suggestions could be the solution for the problem....but now is something to discuss with the DNS server administrator...

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents