Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE DNS Question For Guest Users

Before I ask the question, let me explain our environment.

We have an internal 5508 controller.  We also have a 5508 DMZ controller that acts as an anchor controller.  Guest traffic is piped to the DMZ controller which provides the DHCP address, and DNS server information.  The DNS that we provide is our ISP provider DNS server information, to our guest wireless users.  There's no need to provide them with our internal DNS server information, since they're only going to the internet.

Here's my dilema.  We are now implementing the ISE appliances so that we can better control our guest users.  Currently, our guest SSID is wide open.  With the ISE, we're going to initially only do self-registration for guest users.  They will connect to our broadcasted SSID, when they connect to it, they will be presented with the guest portal.  There will be a link that allows them to go to a self-registration page.  The dilema is that the ISE appliances are a part of our internal 10.x.x.x network.  Since the guest users will have our ISP's DNS servers, our ISE devices will not be able to be found for the redirection to the portal.

Would anyone have any suggestions on this?  I don't want to advertise our internal DNS servers to guest users.  Thanks for any help!

 

 

Everyone's tags (1)
3 REPLIES
New Member

Internal 5508 controller..

Thanks for any help!

Cisco Employee

checkhttps://supportforums

check

https://supportforums.cisco.com/discussion/11744496/pb-reach-ise-guest-portal-due-dns-constraints

https://supportforums.cisco.com/discussion/12024986/cisco-ise-guest-portal-dns-issue-external-zone

Cisco Employee

I haven't tried this before

I haven't tried this before but ISE does actually allow you to assign physical ports to the Guest HTTP portal. You can see this under Administration > Web Portal Management > General > Ports. Perhaps you can:

1. Take a physical port from your appliance and connect it to the DMZ

3. Give it an IP address that is resolvable from the public DNS server

3. Assign that physical port only to the guest HTTP service

 

On the other hand, you could also build a DNS server just for the guest users and stick in the DMZ :)

Not sure if this helps but just some food for thought.

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
186
Views
0
Helpful
3
Replies
CreatePlease to create content