cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3939
Views
15
Helpful
5
Replies

How does ISE choose which IP to put in URL redirect response?

trevorjenix
Level 1
Level 1

Hello,

does anyone know how does ISE choose which IP to put in URL redirect response if it has more than one interface with an IP address and all interfaces are enabled in the portal configuration?

 

I have a single ISE 1.3 PSN with all four interfaces configured, enabled, each on unique VLAN, and each with unique IP address.

In the CWA portal configuration, all four interfaces are enabled.

Wired clients connect to NAD, NAD sends RADIUS request to ISE, ISE responds with a RADIUS response including the URL-Redirect parameter which specifies the web redirect URL. ISE configuration uses "ip:port" in the URL. 

My question is how does ISE choose which of its four interfaces to put in this URL? Is it always the same interface that RADIUS packets were received on? Or does it always choose the first portal enabled interface? Or is there another logic? Configurable or unconfigurable?

Thanks!

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

ISE uses the first interface enabled for that portal, so if want to use a specific interface, then only enable that interface.  If interface is GE0, then default behavior is to redirect with ip value set to node's FQDN.  If interface other than GE0, then default behavior is to return the IP address of the associated interface. 

Aliases can be configured for each interface using the CLI 'ip host' command to associate a hostname/FQDN to the IP address of a given interface.  When configured, ISE will return that value rather than IP address in redirect.  This is critical if want to avoid certificate trust warning on connecting clients.

Be sure that certificate assigned to interface includes the correct FQDN or optionally wilcard value in the CN or SAN fields to avoid cert warnings.

View solution in original post

5 Replies 5

Craig Hyps
Level 10
Level 10

ISE uses the first interface enabled for that portal, so if want to use a specific interface, then only enable that interface.  If interface is GE0, then default behavior is to redirect with ip value set to node's FQDN.  If interface other than GE0, then default behavior is to return the IP address of the associated interface. 

Aliases can be configured for each interface using the CLI 'ip host' command to associate a hostname/FQDN to the IP address of a given interface.  When configured, ISE will return that value rather than IP address in redirect.  This is critical if want to avoid certificate trust warning on connecting clients.

Be sure that certificate assigned to interface includes the correct FQDN or optionally wilcard value in the CN or SAN fields to avoid cert warnings.

Perfect, thank you Craig, an exhaustive answer!

Indeed - it's always a pleasure to see a Cisco TME weigh in here at CSC with a definitive answer.

Thanks for the answer.

Hi Craig,

 

When the non-gig0 interface is used for both the sponsor and guest portals with unique FQDNs, say, sponsor.test.com and guest.test.com. ISE only seems to take one ip host alias for the interface. Does this mean when accessing the portal using the FQDN (which does not ip host entry) we would see certificate errors ?

the FQDN and any IP addresses used (if not using DNS) would need to be in the certificate. I'd suggest a new post referencing this if have further questions
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: