Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2219
Views
2
Helpful
5
Replies

ISE Guest Portal over NAT

Go to solution
iurikura
Cisco Employee
Cisco Employee

‎08-31-2017 09:16 PM

Hi,

Does ISE support accessing guest portal/sponsor portals over NAT ?

If Yes, could you please let me know any other design concens?

Thank you,

Itaru

2 Accepted Solutions

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to paul

‎09-01-2017 01:25 PM

Paul is correct.  There is no "official" ISE document where we declare support for NAT, but I have been publishing this setup for a few years now and have yet to hear any reported issues.  A key requirement for multi-interface setup is to set the interface alias using the 'ip host' command and to configure multi-default routing on PSN.  This allows traffic received on a given interface to be sent back out the same interface.   If need more details, I cover this in hidden slides of reference presentation in BRKSEC-3699 (available on ciscolive.com). 

/Craig

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to omadrile

‎11-05-2018 11:46 AM

There is no effort from a technical standpoint. Would recommend you reach out to the ISE product managers for support request if this is critical to you.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
paul
Level 10
Level 10

‎08-31-2017 09:22 PM

The guest portal is just an SSL call to a customer port (default is 8443).  There is no issue doing NAT in the path.  The source and destination can both be NATted.  The users's session information for the guest portal is contained as a variable in the URL the user gets redirected to.

It is very common to have completely isolated guest networks where we have to bring the guest portal traffic over the Internet to NAT IPs on the FW that get NATted to the PSNs.

Go to solution
Craig Hyps
Level 10
Level 10
In response to paul

‎09-01-2017 01:25 PM

Paul is correct.  There is no "official" ISE document where we declare support for NAT, but I have been publishing this setup for a few years now and have yet to hear any reported issues.  A key requirement for multi-interface setup is to set the interface alias using the 'ip host' command and to configure multi-default routing on PSN.  This allows traffic received on a given interface to be sent back out the same interface.   If need more details, I cover this in hidden slides of reference presentation in BRKSEC-3699 (available on ciscolive.com). 

/Craig

0 Helpful

Go to solution
iurikura
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎09-19-2017 12:42 AM

Thank you Paul, and Creig.

I understood.

Best regards,

Itaru

0 Helpful

Go to solution
omadrile
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎11-05-2018 05:59 AM

Hi Craig,

 

I know it's been some time from this post, but do we have any plans for Cisco TAC to officially support NAT configurations to access ISE Guest portals?

 

Thanks,

Oriol

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to omadrile

‎11-05-2018 11:46 AM

There is no effort from a technical standpoint. Would recommend you reach out to the ISE product managers for support request if this is critical to you.
0 Helpful
Customers Also Viewed These Support Documents