Lab Minutes Forum

Technical Discussion => Security => Topic started by: robalvarado on May 31, 2017, 12:30:33 PM

Title: New PSN spun up to drop guest wirless in DMZ
Post by: robalvarado on May 31, 2017, 12:30:33 PM
Hello guys,

I'm looking for help on solving an issue I'm having.  Full disclaimer: I have taken over our ISE environment and in short the ISE Admin.  Also, the deployment happend prior to me joining my new company so alot of questions as to why this was deployed this way is basically pointless :)

So on to the discussion...  I have deployed a new PSN server in our DMZ environment so we can have guest wireless dropped in the DMZ.  Along with a anchor controller, and dhcp server in the DMZ.  I have rules allowing the DMZ PSN server to talk to our Internal DNS servers. 

Prior to the DMZ PSN deployment we have two MNT nodes, to Admin Nodes, and two PSN nodes all of which are internal.  I'm using the same cert that the two internal PSN nodes are using however I'll want to change that because they have internal/private certs.  My idea is to use a public cert for the DMZ PSN and go from there but I digress...

My issue is when I connect to the test SSID on the anchor controller I'm being redirected to the primary internal PSN sever rather than the external DMZ PSN server. I have modify the ACL on the anchor contoller to redirect web auths to the external DMZ PSN server.  My symptons are similiar to the post by Tomimma  "ISE 1.3: Guest Portal on distributed deployment. How can I choose a specific PSN" but i'm still having no luck.  I will be engaging TAC but I felt someone here might be able to solve my issue before it gets to TAC.

Much appreciated,
-Robert

p.s. this is great learning resource site!  Thank you for all the help!
Title: Re: New PSN spun up to drop guest wirless in DMZ
Post by: MC on June 01, 2017, 10:30:46 PM
Hi Robert, On your guest SSID, what's the IP of RADIUS server you have it pointing to? Please make sure it is pointing to DMZ PSN only.
Title: Re: New PSN spun up to drop guest wirless in DMZ
Post by: robalvarado on June 14, 2017, 12:19:25 PM
So I finally figured out what was going on.  The Anchor and Internal controller were rejecting the radius key.  I deleted both the Anchor and Internal controller key.  Then deleted the NAD's and re- added them.  It took me a while but looking at the debugs sure helped :)

Thanks for the help guys!
Title: Re: New PSN spun up to drop guest wirless in DMZ
Post by: MC on June 15, 2017, 11:16:03 PM
Great.. Simple enough.. Glad it worked out  and thanks for the update.  ;)
SimplePortal 2.3.7 © 2008-2024, SimplePortal