TomF.32212 (Customer) asked a question.
IWA with Guest Wifi Network
Hi, We have come across a problem in a few different Okta setups now where they have IWA configured. If the guest wifi network gets NATed through the same external IP as the internal network, then laptops will not be able to log into Okta. Mobile devices are fine becasue Okta can detact them and not redirect. Laptops on the internal wifi are fine as they can reach the IWA agents. The problem is for partners who are trying to reach Okta protected applications while on site and there for using the wifi. I've had a couple of ideas on how to fix this but none of them are 100% desirable.
- Change the NAT'd IP for the guest network to not match the internal network - This isn't always possible.
- Have the DNS on the guest network direct https://desktopsso/iwa to another web server that redirects to https://company.okta.com/login/default - needs split DNS and a web server to maintain
- Allow access from the guest network to the IWA server and add this change so they get a forms login page: https://support.okta.com/help/blogdetail?id=a67F0000000XZhfIAG - This is not always allowed by the network guys
Any update on this?
We received a "by design" response. Our solution was to add static 2+ (5 is standard) static IPs to each out our circuits. Given we have 100+ circuits across the United States it was a little bit of a project on the ISP side of things.
Once those IPs were issued and our main WAN1 IP was updated, we simply took a second public IP and NATed (through the Virtual IP Config) the Public traffic policy through it. That was the easy part.
Now, our LAN/Private wifi traffic NATs through 1 public ip that is is on the Okta list and the Public traffic NATs through 1 ip that is NOT on the Okta list.
Hope this helps.