Before I ask the question, let me explain our environment.
We have an internal 5508 controller. We also have a 5508 DMZ controller that acts as an anchor controller. Guest traffic is piped to the DMZ controller which provides the DHCP address, and DNS server information. The DNS that we provide is our ISP provider DNS server information, to our guest wireless users. There's no need to provide them with our internal DNS server information, since they're only going to the internet.
Here's my dilema. We are now implementing the ISE appliances so that we can better control our guest users. Currently, our guest SSID is wide open. With the ISE, we're going to initially only do self-registration for guest users. They will connect to our broadcasted SSID, when they connect to it, they will be presented with the guest portal. There will be a link that allows them to go to a self-registration page. The dilema is that the ISE appliances are a part of our internal 10.x.x.x network. Since the guest users will have our ISP's DNS servers, our ISE devices will not be able to be found for the redirection to the portal.
Would anyone have any suggestions on this? I don't want to advertise our internal DNS servers to guest users. Thanks for any help!
I haven't tried this before but ISE does actually allow you to assign physical ports to the Guest HTTP portal. You can see this under Administration > Web Portal Management > General > Ports. Perhaps you can:
1. Take a physical port from your appliance and connect it to the DMZ
3. Give it an IP address that is resolvable from the public DNS server
3. Assign that physical port only to the guest HTTP service
On the other hand, you could also build a DNS server just for the guest users and stick in the DMZ :)
Not sure if this helps but just some food for thought.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :