Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1367
Views
0
Helpful
9
Replies

ISE CWA pre-authentication and post-authentication and Umbrella DNS

Go to solution
drivera_
Level 1
Level 1

‎04-29-2019 11:56 AM


Hello, guys

 

Right now I'm having an issue with a customer.  He wants to point his DNS to umbrella but in a Guest Wireless.  It sounds that it is easy to do, but the difficult situation I found is that the customer has to point to an internal server because of the internal CA when pre authentication occurs, and point to umbrella DNS when authentication is success. Because of it, we thought that making a change of vlan when post authentication it was a good idea, but we found that only Windows machines behaves good.  It was not the same situation for Android and iOS.   We considered mounting the umbrella virtual machine for doing this, but he has a license that does not support umbrella VM. 

 

I will appreciate any help you can give me.  Thank you in advance. 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-29-2019 12:32 PM

Sounds just like this issue. Nothing to do with an internal CA, its that your ISE needs to resolve using internal DNS as its an internal service

https://community.cisco.com/t5/identity-services-engine-ise/ise-guest-dns/td-p/3734037

View solution in original post

0 Helpful

Go to solution
drivera_
Level 1
Level 1
In response to Jason Kunst

‎05-21-2019 09:30 AM

Hi Jason,

 

I know this is not a DNS forum, but as we all know, DNS is a very important topic in Umbrella.  It's ok if you don't have the answer or if you don't want to waste your precious time here, but I think thare are better ways to respond.  Thank you again. 

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-29-2019 12:32 PM

Sounds just like this issue. Nothing to do with an internal CA, its that your ISE needs to resolve using internal DNS as its an internal service

https://community.cisco.com/t5/identity-services-engine-ise/ise-guest-dns/td-p/3734037
0 Helpful

Go to solution
drivera_
Level 1
Level 1
In response to Jason Kunst

‎04-29-2019 01:16 PM

Hi, Jason

 

Thank you for the answer.  I had seen that post before but I'm a little confused because I'm not sure if it is the same issue I'm having, because our pre authetication portal is inside the customer network (obviously) and what we need is that when post authentication occurss, an endpoint have the umbrella for content filter.   I hope you can understand me. 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to drivera_

‎04-29-2019 02:10 PM

You need to have the umbrella apply DND on pre and post authentication, it would need to resolve your internal service, you can’t switch VLANs. Seems to me to be the same thing. Did you check with umbrella?
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to drivera_

‎04-29-2019 03:03 PM

Hi,
Why not build a Linux server to act as a DNS server for the guest network, configure it to only resolve the ISE portal DNS addresses with a forwarder to Umbrella for all other DNS requests. Alternatively if you had an ISR4K router as the default gateway this can transparently intercept DNS requests and forward to Umbrella cloud

HTH
0 Helpful

Go to solution
drivera_
Level 1
Level 1
In response to Rob Ingram

‎04-29-2019 04:59 PM

Hi, guys

 

The thing is that when doing the pre authentication we have to resolve the web auth url from inside, because there is no a public DNS register for that url, and the customer does not want to give the web auth with the IP address, instead of that he wants the url to be resolved by DNS. And when doing the post authentication, it is necessary to get the umbrella DNS IP addresses..   We don't know how to do it.  I hope you guys can understand me. 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to drivera_

‎04-30-2019 03:33 AM

You can’t switch DNS servers. This would require a change of VLAN which is not recommended as there is no mechanism for the client to change its IP without using dot1x

Again as suggested before. You will need to setup DNS to resolve ISE and to also proxy to umbrella. Or umbrella to resolve your internal ISE name

Have you reached out to them for a solution?
0 Helpful

Go to solution
drivera_
Level 1
Level 1
In response to Jason Kunst

‎05-06-2019 05:32 PM

Hi Jason,

 

Thank you for your answer again.  Where can I configure that proxy? Is this configuration needs to be made in the L3 router on in the DNS server?.  I think you are telling me to do something like this, aren't you? https://www.juniper.net/documentation/en_US/junos/topics/concept/dns-proxy-overview.html 

 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to drivera_

‎05-21-2019 09:08 AM

Sorry this is not a DNS forum. You would need to discuss overall architecture with umbrella folks.
0 Helpful

Go to solution
drivera_
Level 1
Level 1
In response to Jason Kunst

‎05-21-2019 09:30 AM

Hi Jason,

 

I know this is not a DNS forum, but as we all know, DNS is a very important topic in Umbrella.  It's ok if you don't have the answer or if you don't want to waste your precious time here, but I think thare are better ways to respond.  Thank you again. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents