Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1274
Views
0
Helpful
4
Replies

ISE guest authentication portal behind reverse proxy

ZbigniewJ
Level 1
Level 1

‎03-17-2017 05:26 AM - edited ‎03-11-2019 12:33 AM

Hello to everyone.

I'm struggling with some problem:
Some time ago I deployed Cisco ISE mainly as a method for authenticating company gust computers so ISE was placed in isolated DMZ, behind a firewall. Requirements changed and now i have to authenticate significant number of LAN clients.
I don't want to pass all this Radius traffic through the firewall and i was going to move ISE from DMZ to LAN keeping the service as reliable as possible, independent from firewall utilization.

But at the same time i still need to authenticate those guest clients. I don't want to poke a hole though the firewall from DMZ directly to LAN, so I decided to use reverse proxy instead (yeah, i know it's security through obscurity) but the problem arose:

When i get redirected by the WLC to ISE logon page (behind reverse proxy) i get an error page from ISE:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

My guess is that when the client first gets redirected, ISE creates kind of session token associated with clients IP address, but when client connects through a proxy to ISE logon page its IP changes, and ISE doesn't find a session matching this IP

Does any of you have ISE guest access working in similar scenario? Any suggestions how to solve this problem?

ISE 3.1
WLC  AIR-CT2504-K9, SW 8.0.133.0

Labels:
0 Helpful
4 Replies 4

mile.ljepojevic
Level 1
Level 1

‎03-17-2017 10:09 AM

Hi,

I assume you are using ISE 1.3 since latest ISE version is 2.2 :)

But, on the other note, ISE guest page is working fine when routers are behind the Firewall and NAT-ed, Behind load-balancerss so it should be workable behind reverse proxy as well (I am saying 'should' because I never deployed it that way...).

One note, URL that ISE is using for redirection (you can find in the logs, as part of authorization profile replied to WLC), entire URL needs to be preserved because within that URL there is a session number (token) to keep correlation between client using web-portal and authentication session between WLC and ISE...

URL should go something like https://ip:port/guestportal/gateway?sessionId=NetworkSessionId&action=cwa and it is very important that it's not altered by reverse proxy...

0 Helpful

ZbigniewJ
Level 1
Level 1
In response to mile.ljepojevic

‎03-18-2017 01:47 AM

I'm using ISE 2.2.  3.1 is my Prime version - sorry :)

The URL you mentioned is not being changed in the process - i checked it. I'm aware of its importance. Still somethings wrong. Unfortunately i have a limited debugging options, as somethings wrong with my ISE's syslog. I have an open case in Cisco on that.

The last time  i saw exactly the same error page was when the URL guestportal.mycompany.int was being faultily resolved by my DNS to IP's of both of my ISE nodes, so sometimes a client redirected by the PSN was trying to connect to the secondary node which didn't know a thing about it's session. 

However i fixed this and it's not the issue in this case, but it could be some hint.

0 Helpful

Peter Koltl
Level 7
Level 7

‎03-20-2017 02:04 PM

I suggest you connect one NIC to inside, another NIC to DMZ.

0 Helpful

ZbigniewJ
Level 1
Level 1
In response to Peter Koltl

‎03-21-2017 12:00 AM

Good joke Peter ;)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents