Cisco ISE CWA with Meraki MR/MX - URL Redirect

Solved
jozef
Conversationalist

Cisco ISE CWA with Meraki MR/MX - URL Redirect

Hello community,

 

I would like to implement Central Web Authentication with Meraki APs and MX using Cisco ISE. Let's image I configure open SSID with MAC based access control and a Splash page Cisco ISE Authentication.

 

mac.jpgise.jpg

 

 

Then I install one PSN Node in the DMZ with 2 interfaces, one from Radius traffic and one for Guest Portal. Meraki APs communicate with the PSN in the DMZ via Radius Interface. Guests are tunneled to the MX appliance in the DMZ where they are terminated in the dedicated VLAN and get an IP address. Afterwards they get access to the Internet using the WAN Interface.

 

vpn.png

 

 

 

nat.png

 

Now it is necessary to make sure that guests can reach guest portal running on a separate interface on the PSN in the DMZ.

 

My questions:

 

Does MX supports DNS Rewrite (Doctoring)? When guests send DNS lookup to the Public DNS and DNS replies with the public IP of Guest Portal, can MX rewrite DNS entry and send the private IP of Guest Portal to guests?

 

Would it be possible to use LAN interface and route https traffic (https://guestportal.company.com:8443/...) from guests to the Guest Portal using a static route (orange line)?

 

If MX does not support DNS Rewrite and/or LAN interface in combination with a static route is not possible to use in this case, could guests use WAN interface, send https traffic (https://guestportal.company.com:8443/...) to the Internet and then back to the DMZ using different Internet Connection (purple line)?

 

Guest-URL-Redirect.png

 

Thank you for any hints.

 

Regards,

Jozef

 

1 Accepted Solution
jozef
Conversationalist

Thank you for your reply.

 

I have just found an easier option how to do it - LWA using ISE as the RADIUS server.  The captive portal web page would still be served from the Cloud Management Platform as today and would be able to communicate with ISE in the DMZ across the Internet for credential validation. Guest credentials would be created via the Sponsor Portal on ISE, stored on ISE and sent to the guest user per email.

View solution in original post

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal

You are trying to apply a WLC design philosophy to Meraki - and it is going to cause you grief.

 

The MX does not support DNS re-write.

 

On the whole you can not do policy routing.  However, as long as the traffic is going out a WAN interface, you can specify a flow preference like this:

Screenshot from 2018-03-29 20-15-15.png

On the whole, I see no point in using Cisco ISE for guest portal processing.  The built in capabilities of Meraki kit is very powerful, and Cisco ISE does nothing but add additional complexity.

 

 

If you want to do things the easy way, configure the guest portal completely inside of Meraki; drop the guests into a VLAN (don't use the VPN option) and then transport that VPN to the Internet.

jozef
Conversationalist

Thank you for your reply.

 

I have just found an easier option how to do it - LWA using ISE as the RADIUS server.  The captive portal web page would still be served from the Cloud Management Platform as today and would be able to communicate with ISE in the DMZ across the Internet for credential validation. Guest credentials would be created via the Sponsor Portal on ISE, stored on ISE and sent to the guest user per email.

PhilipDAth
Kind of a big deal
Kind of a big deal

Well done @jozef for figuring out that solution!

PhilipDAth
Kind of a big deal
Kind of a big deal

You know Meraki self a sponsor self registration system built in?

https://documentation.meraki.com/MR/Encryption_and_Authentication/Sponsored_Guest

 

It is like ISE - but simple to setup.  You could have the entire thing and configured and running before you have finished download the currently ISE 13GB download.

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

If you are super keen to keep use Cisco ISE have a look at this guide:

https://documentation.meraki.com/MR/Encryption_and_Authentication/Central_Web_Authentication_(CWA)_w...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels