topic ISE CWA with client proxy settings in Network Access Control

ISE CWA with client proxy settings

firestartest — Thu, 04 Oct 2018 06:29:35 GMT

If Windows clients use a statically configured proxy server in their browser for HTTP/HTTPS traffic is there anyway of still getting CWA to work without turning the client proxy off?

Re: ISE CWA with client proxy settings

Aravind Ravichandran — Thu, 04 Oct 2018 06:59:46 GMT

You can try bypassing the PSN FQDN/IP address in proxy.

Re: ISE CWA with client proxy settings

firestartest — Thu, 04 Oct 2018 08:55:41 GMT

Yeah I was thinking that and maybe getting clients to manually type in a URL of a site that is also bypassed to force the portal up.

Re: ISE CWA with client proxy settings

paul — Thu, 04 Oct 2018 11:22:43 GMT

Bypassing the PSN IPs in the proxy setting won't help with the actual redirect, but would help when they get the redirect. To actually get the redirect you would have to do as you suggested bypass a specific site and have the users go to that site. It could be any site that resolves. You could even use the fake site, enroll.cisco.com, which the posture module uses for discovery.

Re: ISE CWA with client proxy settings

howon — Mon, 08 Oct 2018 22:12:59 GMT

Best option is to exempt ISE PSN IP and hostnames from going through proxy and also add in following hosts to the proxy exemption list:

www.msftncsi.com (Microsoft)
www.msftconnecttest.com (Microsoft; Windows 10 Edge browser)
www.gstatic.com (Google)
captive.apple.com (Apple)
nmcheck.gnome.org (Linux)

Background: These are destinations for respective OS vendor to check on whether the network access has captive portal for hotspot or webauth enabled (AKA captive portal detection or captive portal assistant). By exempting these hosts from proxy, the traffic to these hosts can hit the redirect ACL and gets redirected to ISE portal page which lets the OS know that there is a captive portal to deal with prior to getting full Internet access. This allows the mini browser or task bar balloon to pop-up for the user to take action, which is better than forcing them to enter a URL manually in the browser. FYI, here are the actual URL for each vendor (May have been changed, since I collected them few years ago:

http://www.msftncsi.com/ncsi.txt (Microsoft)
http://www.msftconnecttest.com/redirect (Microsoft; Windows 10 Edge browser)
http://www.gstatic.com/generate_204 (Google)
http://captive.apple.com/hotspot-detect.html (Apple)
http://nmcheck.gnome.org/check_network_status.txt (Linux)