I try to configure a redundant guest access with 2 ISE und 2 guests anchors. ISE Management and the sponsor portal are connected to eth0 (gig0) with hostname ise1.mydomain.com (ise2.mydomain.com for 2nd ISE). Eth0 is reachable from company network. The web authentication, where guests must enter their login credentials, is only reachable via eth1 (gig1) with hostname ise1-pub.mydomain.com (ise2-pub.mydomain.com for 2nd ISE).
The main problem is, that ISE always redirects to ise1.mydomain.com, which is on eth0 and therefore not reachable for wireless guests. I can configure a static hostname for redirection (which is cluster wide), but then I have no redundancy (there is no balancer reachable). So ISE must chose the correct hostname for the redirection URL depending on the ISE who authenticates the guest.
I tried to define an alias for both ISE on CLI:
ip host 10.1.1.1 ise1-pub ise1-pub.mydomain.com on primary ISE and
ip host 10.1.1.2 ise2-pub ise2-pub.mydomain.com on secondary ISE
and deleted the static ip/host entry in my authorization profile. But ISE always redirects to ise1.mydomain.com (or ise2.mydomain.com). My understanding was, that if I configure an alias, ISE will redirect to the alias IP.
ISE is version 1.2.1 Patch 4
Guest Anchors are 5760 with 3.6.1
Instead of having just one authz rule for the cwa redirect as normal, you can create one for each of the servers (still configured on the primary of course).
What you do is create one rule where your authz profile has the static host redirect set to ise1-pub.mydomain.com and the condition : server : ise1
Then create a copy of that rule, where you redirect to ise2-pub.mydoamin.com, and use the condition server : ise2
This will redirect to different names, depending on which of the ise servers the radius request was received by.
I attached a screenshot of the rules.
Great idea, thanks. But one question about the authz rule:
In your screenshot you configured "Network Access: ISE Host Name". I am not sure, but I think this must be something like "Radius:NAS-IP-Address", or not? Depending on the wireless controller (from where the radius request comes) ISE decides to which guest portal we redirect.
Best regards, Andreas
No, the WLC is not involved in that. What you wan't is to decide what url redirect to send to your clients, based on which ISE server recieved the request.
oups! I corrected my post yesterday. No idea why it wasn't saved. You're right :-)
ATM I am hanging on the redirect ACL on the WLC. Have to check how the ACL should look like on both anchors.
This is a great idea, thanks for the tip. I was just trying to figure out how to solve this when guest cwa is required to run on the secondary interfaces.
This should work anyway.
From my perspective it looks like the guest-portal is/was not enabled for the gig1 interfaces in the environement of Andreas.