Lab Minutes Forum

Technical Discussion => Security => Topic started by: tomimma on May 13, 2015, 03:53:32 AM

Title: ISE 1.3: Guest Portal on distributed deployment. How can I choose a specific PSN
Post by: tomimma on May 13, 2015, 03:53:32 AM
Hi Experts,

I would like to clarity how a guest portal page is associated on which PSN node...
In this design, I will use ISE1.3 distributed deployment.
2 x PAN & Mnt nodes (Primary and backup) and 4 x PSN.
Form the total of 4 x PSN, two of them are located in DMZ and other two are in internal network.
The reason these 2 sets are located in different LAN (dmz and internal) is that when a guest user access the guest portal page, 2 x PSN in dmz must be used for this guest portal page.
This is because the security requirement. That is a guest session never can access internal network.
From ISE1.3 admin guide, it describes as follow:
---------------------
Policy Services Node
You must run the end-user portals on a Policy Services node, which handles all session traffic, including: network access, client provisioning, guest services, posture, and profiling. If the Policy Service node is part of a node group, and the node fails, the other nodes detect the failure and reset any pending sessions.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01111.html#concept_20666AC813854AB3B3DFF939495AFEB5
---------------------
So my understanding is that a guest portal is hosted on PSN.

Now, when you configure a guest portal site via "Guest access" -> "Configure" -> "Guest portals" -> choose any default portal page, and make a copy.
I don't see any choice which PSN will host this portal site.
(My test ISE deployment is still standalone)
When the actual distributed deployment is configured, does it show a selection of PSN?
If not, how does ISE know which PSN will be used for a specific portal page?

Thanks in advance!
 

Title: Re: ISE 1.3: Guest Portal on distributed deployment. How can I choose a specific PSN
Post by: MC on May 13, 2015, 09:18:56 PM
Which PSN guest users are redirected to depends on the RADIUS server config on the NAD. Since I don't think you mentioned whether this is for wired or wireless, I am just gonna cover both.
For wireless, you should have an anchor WLC in the DMZ right next to the PSN with the guest SSID RADIUS server pointing to those PSN. Guest traffic should be dropped into DMZ. You should also have a DNS server in DMZ with A record of those PSN for URL redirect of guest portal, otherwise you will need to allow DNS traffic back inside to hit internal DNS servers.
For wired, unless you have a way to tunnel guest traffic to DMZ, in which case the rest would be the same as wireless, assuming you also want to for 802.1x for internal users, you can't really use the DMZ PSN since the RADIUS servers are configured globally on the switch nor that it really matter since guest user traffic will be dropped internally anyway, you might as well use the internal PSN pair.
Title: Re: ISE 1.3: Guest Portal on distributed deployment. How can I choose a specific PSN
Post by: tomimma on May 15, 2015, 01:58:41 AM
Hi MC,

Thanks for your explanation. My situation is wireless guest access which you exactly mentioned that an anchor WLC will be NAD. and Thanks for DNS advise!
So, I understand that as long as RADIUS IP on WLC's WLANs config (WLANs -> SSID -> Security -> AAA servers) is pointing to those PSN located in DMZ, a guest portal page is hosted on these PSN, Am I correct?
Title: Re: ISE 1.3: Guest Portal on distributed deployment. How can I choose a specific PSN
Post by: MC on May 15, 2015, 06:03:40 AM
Correct, but I am trying to remember if you need to configure RADIUS server on anchor WLC at all. You might only need to do that on the internal WLC. Try configuring it on internal WLC first and see what happen but you need to make sure it can talk to ISE in DMZ. If it does not work, add RADIUS server to anchor server as well. Give it a try and please let us know how it goes.
Title: Re: ISE 1.3: Guest Portal on distributed deployment. How can I choose a specific PSN
Post by: sayre on May 15, 2015, 07:41:11 AM
I believe the CUWN CVD usually says have similar config on internal and anchor controllers (L2/L3, AAA, etc.) with the exception being interface the WLAN is mapped to. Having said that,I have a setup working perfectly with the AAA config only done on my guest anchor.

Best of luck with your deployment.
Title: Re: ISE 1.3: Guest Portal on distributed deployment. How can I choose a specific PSN
Post by: tomimma on May 15, 2015, 07:48:59 AM
Thanks MC and sayre,

Deployment schedule is still far, but I will definitely post the result!
Title: Re: ISE 1.3: Guest Portal on distributed deployment. How can I choose a specific PSN
Post by: tomimma on June 08, 2015, 03:00:24 PM
Hi MC,

A quick update regarding a portal page provided by PSN in DMZ.
As you mentioned before:

" Guest traffic should be dropped into DMZ. You should also have a DNS server in DMZ with A record of those PSN for URL redirect of guest portal, otherwise you will need to allow DNS traffic back inside to hit internal DNS servers."

↑In fact, in my lab situation, the portal site (CWA, configured in AuthZ profile) is redirected with IP address. From your video, it is redirected with host name, such as "lm-ise1.labminutes.com:8443/portal/...", but my situation is that it starts with IP address of ISE node instead of FQDN.  Did I miss something here?
Title: Re: ISE 1.3: Guest Portal on distributed deployment. How can I choose a specific PSN
Post by: MC on June 09, 2015, 03:26:43 PM
ISE PSN should automatically use its hostname in the redirect URL. Can you check and see what the redirect URL under Auth Profile looks like and if possible compare to one on the video?
Title: Re: ISE 1.3: Guest Portal on distributed deployment. How can I choose a specific PSN
Post by: tomimma on June 11, 2015, 09:02:11 AM
Hi MC,

In my AuthZ-Profile setting, it is shown as below:

"cisco-av-pair=url-redirect=htps://ip:port/portal/gateway?sessionId=sessionIdV.....",
so, it seems like CWA redirect to portal page with IP? because of "ip:port"???
In the video (SEC0197), it also shows "ip:port"... Very strange that my case doesn't show FQDN... on the portal.
Title: Re: ISE 1.3: Guest Portal on distributed deployment. How can I choose a specific PSN
Post by: MC on June 16, 2015, 08:54:58 PM
Just to confirm, you are using Gi0 interface on ISE, correct?
Title: Re: ISE 1.3: Guest Portal on distributed deployment. How can I choose a specific PSN
Post by: tomimma on June 17, 2015, 12:17:42 AM
Hi MC,

Actually, It is using Gig1, since I wanted to have a dedicated interface for guest access.
Is this the issue?

Thanks
Title: Re: ISE 1.3: Guest Portal on distributed deployment. How can I choose a specific PSN
Post by: MC on June 19, 2015, 09:56:22 PM
I believe that it the expected behavior. Didn't you say that you have 2 nodes dedicated in DMZ for guest? If so, any reason why you can't use Gi0? Try to switch over to Gi0 and see if it works and we can determine the next step.
Title: Re: ISE 1.3: Guest Portal on distributed deployment. How can I choose a specific PSN
Post by: tomimma on July 01, 2015, 01:03:19 PM
Hi MC,

Your advise solved the puzzle!!! G0 needs to be enabled.

Sorry that I didn't explain in detail, but somehow the requirement is using admin & management access from G0 and guest access from G1 in order to isolate the access from a guest.

In this situation, I need to enable both G0 and G1.
Enabling only G1 results "IP address" in CWA URL. On the other hands, enabling only G0 results host name (FQDN), but the browser shows an error URL page, since this guest WiFi LAN is only able to access G1 interface by FW policy...

The solution is also provided by your previous comment!!!
Configuring A record of PSN(s) in a DNS server for WiFi guest. (that is FQDN mapped to G1 IP address).
Since these WiFi guests are referring to this DNS server (by DHCP or static),
IP address of G1 is correctly mapped to FQDN of ISE nodes.

I must say I am a newbie of ISE. But, with your great video and this forum, I am learning a lot and discovering interested and power of ISE  ;D

Thank you!




Title: Re: ISE 1.3: Guest Portal on distributed deployment. How can I choose a specific PSN
Post by: MC on July 06, 2015, 12:51:41 PM
Glad to hear the problem is fixed. Certainly an insightful discussion so hopefully others find this useful as well
SimplePortal 2.3.7 © 2008-2024, SimplePortal