Resilient Netsight
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-28-2016 07:53 PM
Hi,
Have a scenario where I need a resilient NetSight, but not sure how best or even if this is the right course of action.
The scenario is that wireless external captive portal Guest Registration has been configured with sponsorship. There is resilient wireless controllers and NAC configured, one in each location.
The problem arises should NeSight go down, you loose the means to send the sponsorship email - which seems like a lot of effort for such a small thing but it has the potential of grinding the whole process to a halt.
Believe its the only thing that you would loose in this scenario that would stop this working?
So wondering if anyone knows what can be done about it?
Many thanks in advance.
Have a scenario where I need a resilient NetSight, but not sure how best or even if this is the right course of action.
The scenario is that wireless external captive portal Guest Registration has been configured with sponsorship. There is resilient wireless controllers and NAC configured, one in each location.
The problem arises should NeSight go down, you loose the means to send the sponsorship email - which seems like a lot of effort for such a small thing but it has the potential of grinding the whole process to a halt.
Believe its the only thing that you would loose in this scenario that would stop this working?
So wondering if anyone knows what can be done about it?
Many thanks in advance.
9 REPLIES 9
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-06-2016 08:25 PM
Hi Ryan,
Thanks for posting. After a lot of thought here is my plan:
1. Configure DNS proxy on both the NAC's.
2. Configure DHCP to issue two different DNS server IP addresses, these will in fact be the first NAC and the second NAC IP's.
3. When the PC first boots, connects to wireless it will be get an IP address and DNS settings as per above on the non auth VLAN and resolve any web queries directly to the first NAC, this should return NAC's own address and redirect to portal.
4. If the first NAC goes down the PC will try its second DNS address, this resolves to the second NAC and follows the same process.
5. Once the PC is authenticated onto the network it will get its authenticated policy, which puts it onto another VLAN which has a scope that has the correct DNS in it, say 8.8.8.8.
This way I don't need a tertiary DNS address, internal load balancer or even worry about trying to get a DNS server to send two different IP addresses.
The other method is to use load balancers as per below, which I will probably not need on the internal side but will definitely need externally to redirect sponsor email. The plan is to use Kemps free 20mb/s cloud service for this, see image below.
Once I get this setup, which might be a little way in the future I'll post the results.
Thanks.
Thanks for posting. After a lot of thought here is my plan:
1. Configure DNS proxy on both the NAC's.
2. Configure DHCP to issue two different DNS server IP addresses, these will in fact be the first NAC and the second NAC IP's.
3. When the PC first boots, connects to wireless it will be get an IP address and DNS settings as per above on the non auth VLAN and resolve any web queries directly to the first NAC, this should return NAC's own address and redirect to portal.
4. If the first NAC goes down the PC will try its second DNS address, this resolves to the second NAC and follows the same process.
5. Once the PC is authenticated onto the network it will get its authenticated policy, which puts it onto another VLAN which has a scope that has the correct DNS in it, say 8.8.8.8.
This way I don't need a tertiary DNS address, internal load balancer or even worry about trying to get a DNS server to send two different IP addresses.
The other method is to use load balancers as per below, which I will probably not need on the internal side but will definitely need externally to redirect sponsor email. The plan is to use Kemps free 20mb/s cloud service for this, see image below.
Once I get this setup, which might be a little way in the future I'll post the results.
Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-06-2016 05:37 PM
Hello Martin,
I had set this up and tested it about 2 years ago now, but if I remember correctly all I needed to do was configure the URL in the EWC for External mode to a name and then have that name resolvable to two different addresses in DNS.
If DNS returns two different addresses generally clients will attempt the first, and if no response will then attempt the second. I was able to unplug the primary NAC and clients would still see the page as they would attempt the 2nd resolved addresses.
Your scenario with using a primary, secondary, and tertiary DNS address would work as a redundant captive portal configuration when in DNS proxy configuration.
DNS proxy and External mode redirect on the EWC are two different redirect methods, you shouldn't have to use both at the same time.
Also, I know it's not possible to configure a 3rd DNS server on a windows box, I'm not sure if you are able to configure a 3rd through DHCP services or not.
Thanks
-Ryan
I had set this up and tested it about 2 years ago now, but if I remember correctly all I needed to do was configure the URL in the EWC for External mode to a name and then have that name resolvable to two different addresses in DNS.
If DNS returns two different addresses generally clients will attempt the first, and if no response will then attempt the second. I was able to unplug the primary NAC and clients would still see the page as they would attempt the 2nd resolved addresses.
Your scenario with using a primary, secondary, and tertiary DNS address would work as a redundant captive portal configuration when in DNS proxy configuration.
DNS proxy and External mode redirect on the EWC are two different redirect methods, you shouldn't have to use both at the same time.
Also, I know it's not possible to configure a 3rd DNS server on a windows box, I'm not sure if you are able to configure a 3rd through DHCP services or not.
Thanks
-Ryan
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-30-2016 11:39 AM
So it just popped into my head that with regards to the wireless redirect I could possibly use NAC's DNS proxy facility instead!
If my understanding is correct you would configure in the DHCP scope a primary, secondary and tertiary DNS address, with primary address being the DNS server itself and the secondary and tertiary being the 2 NAC's.
So when the end-system registers, access to the primary DNS server is blocked and the end-systems sends its DNS request to the DNS proxy on the NAC, which then gives itself as the IP address.
If the first NAC goes down then the other NAC does the same and responds with its IP address?
Could anyone collaborate that would work or how I could (as explained above) get DNS to resolve the same name to 2 NAC addresses and choose one or the other if its down and reliably work i.e. DNS is not configured to round robin, thereby only working 50% of the time?
Many thanks in advance.
If my understanding is correct you would configure in the DHCP scope a primary, secondary and tertiary DNS address, with primary address being the DNS server itself and the secondary and tertiary being the 2 NAC's.
So when the end-system registers, access to the primary DNS server is blocked and the end-systems sends its DNS request to the DNS proxy on the NAC, which then gives itself as the IP address.
If the first NAC goes down then the other NAC does the same and responds with its IP address?
Could anyone collaborate that would work or how I could (as explained above) get DNS to resolve the same name to 2 NAC addresses and choose one or the other if its down and reliably work i.e. DNS is not configured to round robin, thereby only working 50% of the time?
Many thanks in advance.
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-29-2016 12:51 PM
Thanks for posting again Ryan.
I'm interested in the DNS setup you mention but wondered how you may have set this up. As with a load balancer you have a means of testing the availability of the service that no longer is available, therefore send requests to the other NAC when the other one is down.
With DNS I'm only aware of a round robin approach, but that would mean 50% of the time the wrong IP address would be handed out.
The only other option that I've been told about is the use of an DNS SRV record that apparently hasn't been standardised probably yet, but would hand out a list of IP address for that one record with a priority order - is this what you used?
Many thanks.
I'm interested in the DNS setup you mention but wondered how you may have set this up. As with a load balancer you have a means of testing the availability of the service that no longer is available, therefore send requests to the other NAC when the other one is down.
With DNS I'm only aware of a round robin approach, but that would mean 50% of the time the wrong IP address would be handed out.
The only other option that I've been told about is the use of an DNS SRV record that apparently hasn't been standardised probably yet, but would hand out a list of IP address for that one record with a priority order - is this what you used?
Many thanks.