Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4256
Views
6
Helpful
2
Replies

Can we use different interface(non-management interface) on ISE for web-logon portal

Go to solution
lnorman
Cisco Employee
Cisco Employee

‎03-29-2017 10:19 AM

Can we use different interface(non-management interface) on ISE for web-logon portal?


Customer is now setting up ISE2.2 for their environment (for dot1x / Webauth with switches)… .. They are using single IP-address ( management VLAN) -which is not accessible from user vlan.

They would like to set up web-auth in their environment and wants to know if they could use a different interface in ISE (in User VLAN subnet) to terminate web-auth portal requests instead of using management IP for web-auth.

I believe they could do following steps.. Can you please let me know if this will work?

1)       Configure different interface in USER VLAN Subnet

a.       If Gig0 Management VLAN

b.       Gig1 USER VLAN

2)       Configure Redirect

If MAB fails ISE will send access-accept with following information to NAD. Use the Gig1 IP / Port number in this response      

https://ip:port/guestportal/gateway?sessionId=NetworkSessionId&portal=<PortalID>&action=cwa.

Page 539/1236- admin guide http://www1.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22.pdf

This MAB failure resolves to the restricted network profile and returns the url-redirect value in the profile to the NAD in an access-accept. To support this function, ensure that an authorization policy exists and features the appropriate wired or wireless MAB (under compound conditions) and, optionally, “Session:Posture Status=Unknown” conditions. The NAD uses this value to redirect all guest HTTPS traffic on the default port 8443 to the url-redirect value. The standard URL value in this case is: https://ip:port/guestportal/gateway?sessionId=NetworkSessionId&portal=<PortalID>&action=cwa.

3)       Configure the “allowed interfaces” in “Portal settings” page to “Gig1”

From the admin guide it appears like we can set up

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_011100.html

              


0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-29-2017 10:39 AM

Under portal settings for guest (web auth) portal you simply change the port/interface that its running on.

Check this out

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01110.html#ID1496

Step 5

Update the default values for ports, Ethernet interfaces, certificate group tags, endpoint identity groups, and so on in Portal Settings, and define behavior that applies to the overall portal.

This maybe an interface sitting in your DMZ, the interface needs to be accessible to your guest or employees using web auth, it doesn’t need to be in the same network.

You don’t need to manually configure the redirect, its automatic, you can check the wireless guest setup guide for the basics on how it works

https://communities.cisco.com/docs/DOC-68169

Unless you have special configuration, you need static mapping

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117620-configure-ISE-00.html

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-29-2017 10:39 AM

Under portal settings for guest (web auth) portal you simply change the port/interface that its running on.

Check this out

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01110.html#ID1496

Step 5

Update the default values for ports, Ethernet interfaces, certificate group tags, endpoint identity groups, and so on in Portal Settings, and define behavior that applies to the overall portal.

This maybe an interface sitting in your DMZ, the interface needs to be accessible to your guest or employees using web auth, it doesn’t need to be in the same network.

You don’t need to manually configure the redirect, its automatic, you can check the wireless guest setup guide for the basics on how it works

https://communities.cisco.com/docs/DOC-68169

Unless you have special configuration, you need static mapping

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117620-configure-ISE-00.html

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Jason Kunst

‎03-29-2017 04:16 PM

You will also need to setup an alias (ip host) on the CLI so that the returned redirect sends FQDN specific to secondary interface.  Certs will need to have the FQDN assigned to interface in its SAN, else use wildcard, if sharing certs across PSNs.  Also need to config default routing to ensure symmetric traffic flows.

I cover use of secondary interfaces in Cisco Live BRKSEC-3699 session (the reference presentation).  May want to look at version from 2016 as I started to clean out some content in 2017.

Craig

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents