cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1201
Views
10
Helpful
5
Replies
Beginner

How does ISE choose which IP to put in URL redirect response?

Hello,

does anyone know how does ISE choose which IP to put in URL redirect response if it has more than one interface with an IP address and all interfaces are enabled in the portal configuration?

 

I have a single ISE 1.3 PSN with all four interfaces configured, enabled, each on unique VLAN, and each with unique IP address.

In the CWA portal configuration, all four interfaces are enabled.

Wired clients connect to NAD, NAD sends RADIUS request to ISE, ISE responds with a RADIUS response including the URL-Redirect parameter which specifies the web redirect URL. ISE configuration uses "ip:port" in the URL. 

My question is how does ISE choose which of its four interfaces to put in this URL? Is it always the same interface that RADIUS packets were received on? Or does it always choose the first portal enabled interface? Or is there another logic? Configurable or unconfigurable?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Advocate

ISE uses the first interface

ISE uses the first interface enabled for that portal, so if want to use a specific interface, then only enable that interface.  If interface is GE0, then default behavior is to redirect with ip value set to node's FQDN.  If interface other than GE0, then default behavior is to return the IP address of the associated interface. 

Aliases can be configured for each interface using the CLI 'ip host' command to associate a hostname/FQDN to the IP address of a given interface.  When configured, ISE will return that value rather than IP address in redirect.  This is critical if want to avoid certificate trust warning on connecting clients.

Be sure that certificate assigned to interface includes the correct FQDN or optionally wilcard value in the CN or SAN fields to avoid cert warnings.

5 REPLIES 5
Advocate

ISE uses the first interface

ISE uses the first interface enabled for that portal, so if want to use a specific interface, then only enable that interface.  If interface is GE0, then default behavior is to redirect with ip value set to node's FQDN.  If interface other than GE0, then default behavior is to return the IP address of the associated interface. 

Aliases can be configured for each interface using the CLI 'ip host' command to associate a hostname/FQDN to the IP address of a given interface.  When configured, ISE will return that value rather than IP address in redirect.  This is critical if want to avoid certificate trust warning on connecting clients.

Be sure that certificate assigned to interface includes the correct FQDN or optionally wilcard value in the CN or SAN fields to avoid cert warnings.

Beginner

Perfect, thank you Craig, an

Perfect, thank you Craig, an exhaustive answer!

Hall of Fame Master

Indeed - it's always a

Indeed - it's always a pleasure to see a Cisco TME weigh in here at CSC with a definitive answer.

Thanks for the answer.

Cisco Employee

Re: ISE uses the first interface

Hi Craig,

 

When the non-gig0 interface is used for both the sponsor and guest portals with unique FQDNs, say, sponsor.test.com and guest.test.com. ISE only seems to take one ip host alias for the interface. Does this mean when accessing the portal using the FQDN (which does not ip host entry) we would see certificate errors ?

Highlighted
Cisco Employee

Re: ISE uses the first interface

the FQDN and any IP addresses used (if not using DNS) would need to be in the certificate. I'd suggest a new post referencing this if have further questions