Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Guest portal in distributed setup

Hi All,

How does the guest portal or the sponsor portals work in a distrubuted environment where two or more PSNs are running indivudually. Thats is,

1. does ISE redirects the user to the same guest portal url <PSN1 FQDN>/guestportal or PSN2 FQDN>/guestportal based on which PSN receives the request from a NAD?

2. how do we setup a generic url for the guest so the users will not see the <PSN1 or 2 FQDN> and could see a url like, example abc.com.us/guestportal regardless which POSN serves the request?

Thanks

G

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

The generic option will not

The generic option will not scale across multiple PSNs, I ran into this issue when 1.2 first came out because the session id isnt replicated to all the PSNs. If you want to use a generic guest url your option would be to adjust the generic url to guest1.domain.xxx and guest2.domian.xxx you can then build seperate authorization results for these static hostnames. In your authorization policy you will have to place a condition so that the correct generic url is triggered based on which PSN received the initial mab request.

I havent had a chance to try node groups to see if that will work but that requires the PSNs to be on the same L2 segment.

Tarik Admani *Please rate helpful posts*

I have had customers submit

I have had customers submit the multi san csrs if that is your question and it isnt a problem. When you create the csr through ise make sure you follow the user guide and include the cn of the ise node as a san also or ise will not accept the cert.
Tarik Admani *Please rate helpful posts*
7 REPLIES
Cisco Employee

HiFYI.In Cisco ISE

Hi

FYI.

In Cisco ISE distributed deployment, administration and monitoring activities are centralized, and processing is distributed across the Policy Service nodes. Depending on your performance needs, you can scale your deployment. Each Cisco ISE node in a deployment can assume any of the following personas: Administration, Policy Service, and Monitoring. The Inline Posture node cannot assume any other persona, due to its specialized nature. The Inline Posture node must be a dedicated node.

For regarding generic url configuration, please have a look at the following link:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_dis_deploy.html#18995

 

New Member

Only the PSN node can host

Only the PSN node can host the Guest login portal.  For example, if you have three PSN nodes, you will have three separate login portal on three separate PSN nodes, same database but different PSN nodes.

Q:  "how do we setup a generic url for the guest so the users will not see the <PSN1 or 2 FQDN> and could see a url like, example abc.com.us/guestportal regardless which POSN serves the request?"

A:  Setup a Load balancer to load-blances your PSN1 and PSN2, either active/standby or Active/active configuration, it does not matter.  Because the PSN nodes share the same database, it will work without any issues, provided that in your radius configuration, you list both PSN1 and PSN2 in there, you should be fine.

 

 

New Member

Thanks, Can we able to do

Thanks, Can we able to do withou the load balance roption?

The generic option will not

The generic option will not scale across multiple PSNs, I ran into this issue when 1.2 first came out because the session id isnt replicated to all the PSNs. If you want to use a generic guest url your option would be to adjust the generic url to guest1.domain.xxx and guest2.domian.xxx you can then build seperate authorization results for these static hostnames. In your authorization policy you will have to place a condition so that the correct generic url is triggered based on which PSN received the initial mab request.

I havent had a chance to try node groups to see if that will work but that requires the PSNs to be on the same L2 segment.

Tarik Admani *Please rate helpful posts*
New Member

Hi Tarik,

Hi Tarik, Thanks for getting back. Agree with you, HAve you tried suing a well known CA to sign the above urls for this senario? Tks G

I have had customers submit

I have had customers submit the multi san csrs if that is your question and it isnt a problem. When you create the csr through ise make sure you follow the user guide and include the cn of the ise node as a san also or ise will not accept the cert.
Tarik Admani *Please rate helpful posts*
New Member

Hi TarikIf the requirement to

Hi Tarik

If the requirement to use a well known CA signed cert instead of local CA,  in this case have to sign the the ISE CN url + all SAN urls?

 

Tks

G

403
Views
15
Helpful
7
Replies