topic Urgent - NAC+ACS+Web-Auth in Wired environment - https redirection - Certificate Issue in Network Access Control

Urgent - NAC+ACS+Web-Auth in Wired environment - https redirection - Certificate Issue

vialves — Mon, 11 Mar 2019 01:13:02 GMT

Hi everyone.

I'm seting up an environment which uses Web-Auth for my wired and wireless networks. I have followed the exact same steps in this Cisco page to get it working:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577490.html

I'm only testing the wired environment right now.

I plug a PC to a port, and I try to get access to a randon internet page (for example www.cisco.com) . It is automatically redirected to authentication page. I type the username and password, but, when authentication passes, it goes automatically to https version of the page, which brings me to the problem. I have to add an exception (continue on this webpage option on IE) to that page in order to continue with the authentication and get the access to the internet. I'm attaching the steps I have to perform:

I think it is related to Certificate, but I'm not quite sure which or where. I'd like to have some advices from you to avoid this problem. I'm not planning to buy any certificates, so if I could skip the https would be great.

Thanks a bunch for your help

Victor Alves

Urgent - NAC+ACS+Web-Auth in Wired environment - https redirecti

Nicolas Darchis — Mon, 11 Jul 2011 18:09:57 GMT

if you don't want an official cert you need to go for http only. But this means that people paswords will transit in clear on the network.

It's been long time since I tried this but isnt removing "ip http secure-server" doing the trick ?

Urgent - NAC+ACS+Web-Auth in Wired environment - https redirecti

vialves — Mon, 11 Jul 2011 18:20:24 GMT

You simply nailed it! Just removed ip http secure-server command and everything is working as a charm!!

Another question: To get it working with https, I should have a certificate to each access switch I have? A self signed certificate would work?

Thanks a lot for your help! A+++

Urgent - NAC+ACS+Web-Auth in Wired environment - https redirecti

Nicolas Darchis — Tue, 12 Jul 2011 06:08:50 GMT

You need a certificate that your client will trust.

Easy way is to buy one from an official source. All PC browsers have a list of the major cert vendors so that's automatically trusted.

You could issue the certificate yourself also, for free :

-Self signed : the signing authority is the switch ... That means you need all your PCs to trust all your switches. Manual operation ...

-You create an enterprise CA and create a certificate for all your switches : you just need your clients to trust your enterprise CA so that's still a manual task but a simpler one.

When laptops are integrated in a domain, it's usually easier to create your CA on windows server and push the certificates to the clients automatically