collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: ISE 1.3: Guest Portal on distributed deployment. How can I choose a specific PSN  (Read 44021 times)

Offline tomimma

  • Cisco Newbie
  • *
  • Posts: 11
  • Reputation: 0
  • Certification: CCIE
Hi Experts,

I would like to clarity how a guest portal page is associated on which PSN node...
In this design, I will use ISE1.3 distributed deployment.
2 x PAN & Mnt nodes (Primary and backup) and 4 x PSN.
Form the total of 4 x PSN, two of them are located in DMZ and other two are in internal network.
The reason these 2 sets are located in different LAN (dmz and internal) is that when a guest user access the guest portal page, 2 x PSN in dmz must be used for this guest portal page.
This is because the security requirement. That is a guest session never can access internal network.
From ISE1.3 admin guide, it describes as follow:
---------------------
Policy Services Node
You must run the end-user portals on a Policy Services node, which handles all session traffic, including: network access, client provisioning, guest services, posture, and profiling. If the Policy Service node is part of a node group, and the node fails, the other nodes detect the failure and reset any pending sessions.

You are not allowed to view links. Register or Login
---------------------
So my understanding is that a guest portal is hosted on PSN.

Now, when you configure a guest portal site via "Guest access" -> "Configure" -> "Guest portals" -> choose any default portal page, and make a copy.
I don't see any choice which PSN will host this portal site.
(My test ISE deployment is still standalone)
When the actual distributed deployment is configured, does it show a selection of PSN?
If not, how does ISE know which PSN will be used for a specific portal page?

Thanks in advance!
 

« Last Edit: May 15, 2015, 07:49:33 AM by tomimma »

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Which PSN guest users are redirected to depends on the RADIUS server config on the NAD. Since I don't think you mentioned whether this is for wired or wireless, I am just gonna cover both.
For wireless, you should have an anchor WLC in the DMZ right next to the PSN with the guest SSID RADIUS server pointing to those PSN. Guest traffic should be dropped into DMZ. You should also have a DNS server in DMZ with A record of those PSN for URL redirect of guest portal, otherwise you will need to allow DNS traffic back inside to hit internal DNS servers.
For wired, unless you have a way to tunnel guest traffic to DMZ, in which case the rest would be the same as wireless, assuming you also want to for 802.1x for internal users, you can't really use the DMZ PSN since the RADIUS servers are configured globally on the switch nor that it really matter since guest user traffic will be dropped internally anyway, you might as well use the internal PSN pair.

Offline tomimma

  • Cisco Newbie
  • *
  • Posts: 11
  • Reputation: 0
  • Certification: CCIE
Hi MC,

Thanks for your explanation. My situation is wireless guest access which you exactly mentioned that an anchor WLC will be NAD. and Thanks for DNS advise!
So, I understand that as long as RADIUS IP on WLC's WLANs config (WLANs -> SSID -> Security -> AAA servers) is pointing to those PSN located in DMZ, a guest portal page is hosted on these PSN, Am I correct?

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Correct, but I am trying to remember if you need to configure RADIUS server on anchor WLC at all. You might only need to do that on the internal WLC. Try configuring it on internal WLC first and see what happen but you need to make sure it can talk to ISE in DMZ. If it does not work, add RADIUS server to anchor server as well. Give it a try and please let us know how it goes.

Offline sayre

  • Cisco Newbie
  • *
  • Posts: 3
  • Reputation: 1
  • Certification: N/A
I believe the CUWN CVD usually says have similar config on internal and anchor controllers (L2/L3, AAA, etc.) with the exception being interface the WLAN is mapped to. Having said that,I have a setup working perfectly with the AAA config only done on my guest anchor.

Best of luck with your deployment.

Offline tomimma

  • Cisco Newbie
  • *
  • Posts: 11
  • Reputation: 0
  • Certification: CCIE
Thanks MC and sayre,

Deployment schedule is still far, but I will definitely post the result!

Offline tomimma

  • Cisco Newbie
  • *
  • Posts: 11
  • Reputation: 0
  • Certification: CCIE
Hi MC,

A quick update regarding a portal page provided by PSN in DMZ.
As you mentioned before:

" Guest traffic should be dropped into DMZ. You should also have a DNS server in DMZ with A record of those PSN for URL redirect of guest portal, otherwise you will need to allow DNS traffic back inside to hit internal DNS servers."

↑In fact, in my lab situation, the portal site (CWA, configured in AuthZ profile) is redirected with IP address. From your video, it is redirected with host name, such as "lm-ise1.labminutes.com:8443/portal/...", but my situation is that it starts with IP address of ISE node instead of FQDN.  Did I miss something here?

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
ISE PSN should automatically use its hostname in the redirect URL. Can you check and see what the redirect URL under Auth Profile looks like and if possible compare to one on the video?

Offline tomimma

  • Cisco Newbie
  • *
  • Posts: 11
  • Reputation: 0
  • Certification: CCIE
Hi MC,

In my AuthZ-Profile setting, it is shown as below:

"cisco-av-pair=url-redirect=htps://ip:port/portal/gateway?sessionId=sessionIdV.....",
so, it seems like CWA redirect to portal page with IP? because of "ip:port"???
In the video (SEC0197), it also shows "ip:port"... Very strange that my case doesn't show FQDN... on the portal.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Just to confirm, you are using Gi0 interface on ISE, correct?

Offline tomimma

  • Cisco Newbie
  • *
  • Posts: 11
  • Reputation: 0
  • Certification: CCIE
Hi MC,

Actually, It is using Gig1, since I wanted to have a dedicated interface for guest access.
Is this the issue?

Thanks

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
I believe that it the expected behavior. Didn't you say that you have 2 nodes dedicated in DMZ for guest? If so, any reason why you can't use Gi0? Try to switch over to Gi0 and see if it works and we can determine the next step.

Offline tomimma

  • Cisco Newbie
  • *
  • Posts: 11
  • Reputation: 0
  • Certification: CCIE
Hi MC,

Your advise solved the puzzle!!! G0 needs to be enabled.

Sorry that I didn't explain in detail, but somehow the requirement is using admin & management access from G0 and guest access from G1 in order to isolate the access from a guest.

In this situation, I need to enable both G0 and G1.
Enabling only G1 results "IP address" in CWA URL. On the other hands, enabling only G0 results host name (FQDN), but the browser shows an error URL page, since this guest WiFi LAN is only able to access G1 interface by FW policy...

The solution is also provided by your previous comment!!!
Configuring A record of PSN(s) in a DNS server for WiFi guest. (that is FQDN mapped to G1 IP address).
Since these WiFi guests are referring to this DNS server (by DHCP or static),
IP address of G1 is correctly mapped to FQDN of ISE nodes.

I must say I am a newbie of ISE. But, with your great video and this forum, I am learning a lot and discovering interested and power of ISE  ;D

Thank you!





Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Glad to hear the problem is fixed. Certainly an insightful discussion so hopefully others find this useful as well

 

Related Topics

  Subject / Started by Replies Last post
3 Replies
61975 Views
Last post June 30, 2014, 11:06:30 PM
by MC
3 Replies
18716 Views
Last post October 30, 2014, 10:58:10 PM
by MC
2 Replies
62360 Views
Last post January 04, 2015, 11:27:06 AM
by maiquel
1 Replies
20838 Views
Last post June 13, 2016, 09:42:09 PM
by MC
1 Replies
53031 Views
Last post December 19, 2016, 09:32:23 PM
by MC

SimplePortal 2.3.7 © 2008-2024, SimplePortal