https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/m-p/3426842#M511604 <HTML><HEAD></HEAD><BODY><P>Thanks Matias, however I should have mentioned this is CWA on a switch wired network, not WLC.&nbsp; I have the following ip http and ACL configured:</P><P></P><P>ip http server</P><P>ip http secure-server</P><P>ip http secure-active-session-modules none</P><P>ip http active-session-modules none</P><P>ip access-list extended ACL_WEBAUTH_REDIRECT</P><P> permit tcp any any eq www</P><P> permit tcp any any eq 443</P><P> deny ip any any</P><P></P><P></P><P>-Tony</P></BODY></HTML> Wed, 14 Mar 2018 12:31:48 GMT tolarosa@cisco.com 2018-03-14T12:31:48Z https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/m-p/3426840#M511600 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P>I'm running into some issues with CWA URL Redirection to work with https sessions.&nbsp; We try to browse to a https websites (google, etc) and CWA URL Redirection doesn't work.&nbsp; Works great with http websites. Is there a workaround or a solution for this type of situation?&nbsp; </P><P></P><P>Thanks,</P><P>-Tony</P></BODY></HTML> Tue, 13 Mar 2018 18:55:37 GMT https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/m-p/3426840#M511600 tolarosa@cisco.com 2018-03-13T18:55:37Z https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/m-p/3426841#M511602 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 13.3333px;">Hi Tony. </SPAN><SPAN style="font-size: 13.3333px;">You have to enable it: </SPAN><SPAN style="font-size: 13.3333px;">"config network web-auth https-redirect enable"</SPAN></P><P><SPAN style="font-size: 13.3333px;"><BR /></SPAN></P><P><SPAN style="font-size: 13.3333px;">In these links, you will find the full information.</SPAN></P><P></P><P><A href="https://supportforums.cisco.com/t5/wireless-mobility-documents/understanding-https-redirect-over-web-auth/ta-p/3143359" title="https://supportforums.cisco.com/t5/wireless-mobility-documents/understanding-https-redirect-over-web-auth/ta-p/3143359">Understanding HTTPS Redirect over Web-a... - Cisco Support Community</A></P><P><A href="https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118826-config-https-webauth-00.html" title="https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118826-config-https-webauth-00.html">Configure HTTPS Redirect over Web-auth - Cisco</A></P><P></P><P><SPAN style="font-size: 13.3333px;">I hope you find it useful.</SPAN></P><P><SPAN style="font-size: 13.3333px;"><BR /></SPAN></P><P><SPAN style="font-size: 13.3333px;">Regards.-</SPAN></P></BODY></HTML> Tue, 13 Mar 2018 21:33:48 GMT https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/m-p/3426841#M511602 #Mat 2018-03-13T21:33:48Z https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/m-p/3426842#M511604 <HTML><HEAD></HEAD><BODY><P>Thanks Matias, however I should have mentioned this is CWA on a switch wired network, not WLC.&nbsp; I have the following ip http and ACL configured:</P><P></P><P>ip http server</P><P>ip http secure-server</P><P>ip http secure-active-session-modules none</P><P>ip http active-session-modules none</P><P>ip access-list extended ACL_WEBAUTH_REDIRECT</P><P> permit tcp any any eq www</P><P> permit tcp any any eq 443</P><P> deny ip any any</P><P></P><P></P><P>-Tony</P></BODY></HTML> Wed, 14 Mar 2018 12:31:48 GMT https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/m-p/3426842#M511604 tolarosa@cisco.com 2018-03-14T12:31:48Z https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/m-p/3426843#M511606 <HTML><HEAD></HEAD><BODY><P>Likely issue is that the client browser is not trusting the cert from switch.&nbsp; In the process of redirection, then switch must respond directly to the HTTPS request and attempt redirect.&nbsp; Since the certificate does not match expected for target site, such as Google.com, the browser will likely produce an error.&nbsp; Depending on browser version and config, it may simply allow you to continue, but as browsers lock down untrusted content, it may not allow user to proceed at all.&nbsp; Some mobile clients handle captive portals by sending out discovery packets on http to auto-open a mini-browser for auth.&nbsp; On wired, you will likely not see this yet.&nbsp; Although not ideal, one option is to have users set their home page to company's internal landing page, or to have guests/contractors open page to the internal company page.</P></BODY></HTML> Wed, 14 Mar 2018 13:15:42 GMT https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/m-p/3426843#M511606 Craig Hyps 2018-03-14T13:15:42Z https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/m-p/3426844#M511608 <HTML><HEAD></HEAD><BODY><P>If you are testing with Chrome going to Google your ACL probably wouldn't work as Chrome will default to using QUIC protocol (UDP/443) and your ACL doesn't intercept that and the switch would have no chance of redirecting a proprietary protocol.&nbsp; Do you have a DACL applied as well to block traffic? </P><P></P><P>I am assuming you have tried other SSL web sites in browsers other than Chrome and they don't redirect either.</P></BODY></HTML> Thu, 15 Mar 2018 13:43:10 GMT https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/m-p/3426844#M511608 paul 2018-03-15T13:43:10Z