8 Replies Latest reply: Dec 7, 2017 11:29 AM by jakunst RSS

One Click Approval - redundancy.

dazza_johnson

Hey guys, I have two ISE nodes in the DMZ hosting the guest portal for 'One Click Approval'. The dilemma I have is the 'Approve' (or 'Deny') URL as shown below. By default, this is the IP address of the ISE node which the guest used to create an account. Obviously, we do not want the cert error associated with an IP address in a HTTP URL.

 

I can set the URL using an FQDN in the Sponsor portal which I then assign to the guest portal. However, the issue here is that the FQDN is mapped to an IP address of, for example, DMZ ISE node 1. So what happens when the guest was actually using the guest portal on DMZ ISE node 2? Does ISE require that the approval URL hits the same ISE node as that which the guest created the account on or is it a viable scenario where the guest is created on ISE DMZ node 2, but the approval is sent to ISE DMZ node 1?

 

At this stage, I am thinking that the approval link must hit the same ISE node that the guest created the account on. My fix here is to create two guest portals and two sponsor portals. Guest portal 1 is mapped to sponsor portal 1 and Guest portal 2 is mapped to sponsor portal 2. Auths that hit ISE DMZ node 1 use guest portal 1 and auths that hit ISE DMZ node 2 use guest portal 2. Sponsor portal 1 uses an FQDN which maps to the IP address of ISE DMZ node 1 and sponsor portal 2 uses an FQDN which maps to the IP address of ISE DMZ node 2. This way, the Approve URL always hits the ISE node that the guest created an account on.

 

Can anyone comment on my ramblings here!?