cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12569
Views
5
Helpful
9
Replies

Using ISE for guest access together with anchor controller WLC in DMZ

hammelfr
Level 1
Level 1

Hi there,

I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.

To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.

As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.

Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?

Thx

Frank

9 Replies 9

Scott Fella
Hall of Fame
Hall of Fame

Frank,

It's still best to keep the ISE internal and allow the ports required for ISE through the FW.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

I have the exact same question / scenario.

Can Scott, or someone please explain why it's a good idea to keep ISE in the internal networks, instead of DMZ?

If guests can interface directly w/ the ISE, wouldn't it be safer to place it in the DMZ?

thx

Shaoqin Li
Level 3
Level 3

as i know, if it is only psn, it would be okay in dmz.

if it is PAN, better put it inside.

Sent from Cisco Technical Support iPad App

I found a Cisco doc which seems to say that it is the Foreign controller which contacts ISE when Central Web Auth is configured with a guest Anchor.

Ref: "Only the foreign WLC contacts the ISE and redirection ACL must be present also on the foreign WLC"

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

I would appreciate any clarification on whether it is the Anchor or Foreign controller which contacts ISE.

Thanks.

Jacob Snyder
Level 5
Level 5

So i ran into a similar scenario on a recent deployment:

We had the following:

WLC-A on private network (Inside)

ISE Servers ISE01 and ISE02 (Inside)

WLC-B Anchor in DMZ for Guest traffic (DMZ)

ISE Server 3 (DMZ)

ISE01 and ISE02 are used for 802.1X for the private network WLAN.

Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).

The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.

So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.

In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

Jacob,

Question for you.  I have a customer with the same exact setup as you described above and I am facing complications using the ISE PSN in the DMZ.

Here is the setup we have:

WLC-A (internal)

ISEPSN1 (internal)

ISEPSN2 (internal)

WLC-B (DMZ) - Anchor Controller

ISEPSN3 (DMZ)

The WLC-A controller is setup to the AAA Authorization to ISEPSN1 and ISEPSN2 (for compliance reasons).  ISEPSN1, ISEPSN2 and ISEPSN3 all can communicate with each other and are sync'd correctly.

The CWA-REDIRECT ACL is setup on both WLC-A and WLC-B.

ISE is setup with a static guest portal so that after the guest connects and the Authorization Profile for the guest portal is pushed to the WLC, the guest redirect specifies them to go to the ISE node in the DMZ.

Access Type = ACCESS_ACCEPT
Airespace-ACL-Name = CWA-REDIRECT
cisco-av-pair = url-redirect-acl=CWA-REDIRECT
cisco-av-pair = url-redirect=https://ISEPSN3.company.com:port/portal/gateway?sessionId=SessionIdValue&portal=70a10f32-9c57-11e6-bb3b-0050568972cb&daysToExpiry=value&action=cwa

When a user connects to the Guest SSID, the session is tunneled back to WLC-B as expected, however, as soon as the guest tries to open a browser to be directed to the Guest Portal, they receive this message:

[ 400 ] Bad Request
The request is invalid due to malformed syntax or invalid data.

Possible cause is unknown, invalid, or terminated RADIUS session ID. Please advise the System Admin to consult the logs and ensure that the RADIUS session was not generated by a different PSN or due to a deny access policy match.

If I remove the static URL from the Guest Portal Authorization profile, the redirect works fine (assuming I open port 8443 on the DMZ to allow the guest to talk to ISEPSN1/ISEPSN2).  The error above states that the session ID was likely generated by a different PSN and that seems why it's not working in the configuration. So my question is, is this not a supported configuration or do I have something not configured correctly?  Also, I have tried to statically assign the Guest Portal to the ISEPSN2 node and if ISEPSN1 does the Auth, then I get the same error message.  It only seems to work correctly if I let ISE dynamically put the PSN in the redirect.

Any advice would be greatly appreciated.

Thanks,

Alex

My question is why can't you use radius from wlc-A to ISE03? You poke holes to allow ISE03 to talk to the admin/mnt nodes. So why not to WLC-A for radius?

For another test, try letting the wlc use ise03 as the radius server and see if that also works.

What version of ISE are you running? I'm load-balancing PSNs in 2.1 and haven't run into that error. Are these in different node groups?

Jacob Snyder
Level 5
Level 5

Also, ISE03 was a PSN only an you have to allow it to talk to the other ISE nodes for replication etc.

As far as ISE communication goes

Radius is between foreign WLC and PSN only.
ACL needs define on both WLC, pushed by name in mobility session handoff between foreign and anchor WLC.
Web auth is between client and PSN only.
CoA is between PSN and foreign WLC.

Sent from Cisco Technical Support iPhone App

we have a 5508 in anchor- foreign controller setup, Anchor would be using its internal DHCP server to give out  ip address to the guests , do I need to add any specific rule in the ACL's or I just allow the DNS and ISE entries as described in this doc :

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.pdf

 

Anchor controllers is in DMZ and ISE is Internal .

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: