Hello Charles 

Thanks a lot for your response. 

I am running Ver 1.1.4 and authorization profile syntax is a little different. I could not find "Static IP/ Host Name" in Common Tasks. I tried to pull it from Dictionaries, but could not find the same.

for CWA we have 2 rules, please view the flow in sequence.first wireless guest rule is for providing them access and other is for redirection. 2 Authorization Profiles used in these rules are also been shown below.

Thanks again for your time to look into the issue.

Ahad

Unfortunately what Charles described is only offered as a workaround in ISE 1.2. Is there any reason for you not to upgrade? 1.2 has a ton of other features and bug fixes.

Sent from Cisco Technical Support iPad App

Dear SAM  one of the primary issue for not going to 1.2,  is Inline Posture Nodes re-initialization.  is there any possible fix in 1.1.4 for the problem that i am encountering.  " ISE sending host name in Redirect Message and Guest Users ( using public DNS) can not resolve ISE hostname, as a result  CWA is not happening.  Thanks  Ahad

There isn't a workaround for CWA without DNS in1.1.x unfortunately. If going to 1.2 currently isn't an option for you you should consider having guests use a local DNS you manage.

Sent from Cisco Technical Support iPad App

One workaround that I have gotten to work in the past when using ASA firewalls is to create a static NAT entry and leverage DNS inspection to translate the Private IP address for you.  It is important to note that in this example the domain name that the ISE PSN is registered as is on a publicly resolvable domain name which you have control of the DNS entries. 

In this example we will have a three legged ASA.  Inside, DMZ, and Outside. 

The PSN's hostname is psn.example.com.

The PSN's Private IP address is 10.1.1.100

Steps:

Create a Public DNS record for psn.example.com.  For best practices you should use an IP address that belongs to you and that is not a part of RFC 1918.  This way the public DNS servers do not reject the IP address for some other reason. In this example we will use 1.1.1.1

Enable DNS inspeciton on the ASA.

Create a Static NAT entry for 1.1.1.1 (outside) -> 10.1.1.100 (inside) and enable DNS translation. 

Now when the CWA user connects and gets a public DNS server it will query the public server for psn.exmaple.com and the public DNS server will return 1.1.1.1.  Now because of the DNS inspection the reply of 1.1.1.1 is replaced with the private IP address of 10.1.1.100.

End result is the DMZ host using a public DNS server to return a private IP address.  If you have multiple PSNs you will need to create multiple DNS and NAT.

You are welcome to try and use RFC Bogus RFC 1918 addresses, but the public DNS servers may have rules against doing so which is why i recommend using the public IP addresses that you own.  It is important to remember that even though you are creating Inside to Outside NAT entries for your ISE servers because you haven't created any inboundACL's they are not exposed to the Internet just because you created a NAT for them. 

Here is a cisco doc on how to do "DNS Doctoring"

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html

I should note that I have tested this using 1.2 with the static hostname, but I have not tested it with 1.1.4, but the underlying pricipals should be the same.

Dear Charles / SAM / Justin / Thejman85  Many Thanks for your active contribution and inputs, it seems that upgrade to 1.2 is inevitable and should be carried out, as 1.1.4 has many other issues....  if upgrade to 1.2 resolves my issue, i will further update this post.  Thanks Again  Ahad...