cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
952
Views
1
Helpful
2
Replies

BYOD with F5

servicesecurity
Level 1
Level 1

Hi all,

I have an issue with BYOD dual SSID.

The user is connecting to the BYOD_REGISTER_SSID and he redirect to ISE BYOD PORTAL.

The ISE is behind F5 ( the F5 received the request from the user and send the request to the ISE, the portal certificate sitting on the F5 ).

I tried the run the "NetworkSetupAssistant" but he's failed after few seconds.

I checked with Wireshark, and I get error about port 8905.

* When I connecting to the BYOD_REGISTER_SSID I can telnet with port 8905 to the ISE server.

I think the issue is with the F5.

Thanks,

Amit

1 Accepted Solution

Accepted Solutions

The F5 certificate should not come into play here unless you are attempting to have F5 terminate SSL.  In that case, there is a level of additional complexity to F5 config.  By default, PSN will redirect client to its own interface/IP, not F5 interface/IP.   General recommendation is to allow this direct communication without F5 intervention.   If feel F5 must terminate the HTTPS session, then to ensure HTTPS session hits same PSN that terminated RADIUS, you must have either 1) advanced iRule to stitch the HTTPS session to RADIUS session or 2) config a 1:1 mapping between VIP and PSN for redirected traffic.

View solution in original post

2 Replies 2

hslai
Cisco Employee
Cisco Employee

I would suggest to test without F5 and see whether it still not working. There is not much benefit with the portal certificate sitting on the F5, as ISE portals are all in HTTPS such that Client browser <- (HTTPS) -> F5 <- (HTTPS) -> ISE web portals.

Since you got error on TCP port 8905 in WireShark, I would assume your ISE is ISE 2.1 or earlier. It's important to see what are the exact error in WireShark.


TCP port 8905 is using the ISE system certificate designated for "admin" so certain client OS, such as Windows, would not like it if the common name (CN) or the subject alternative name (SAN) do not match the portal hostname portion of the URLs. Thus, you would need to ensure the admin system server certificate would match the portal hostname. ISE 2.2 has enhanced to use the configured BYOD portal port instead of TCP 8905.

The F5 certificate should not come into play here unless you are attempting to have F5 terminate SSL.  In that case, there is a level of additional complexity to F5 config.  By default, PSN will redirect client to its own interface/IP, not F5 interface/IP.   General recommendation is to allow this direct communication without F5 intervention.   If feel F5 must terminate the HTTPS session, then to ensure HTTPS session hits same PSN that terminated RADIUS, you must have either 1) advanced iRule to stitch the HTTPS session to RADIUS session or 2) config a 1:1 mapping between VIP and PSN for redirected traffic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: