topic Re: Sponsor Portal - HTTP to HTTPS Redirect in Network Access Control

Sponsor Portal - HTTP to HTTPS Redirect

Scott Gillies — Mon, 08 Jan 2018 17:06:38 GMT

Happy New Year.

Is it possible to configure ISE to redirect a HTTP request to the Sponsor Portal to the equivalent HTTPS?

I.E. if the sponsor types in the http address it gets redirected to the correct https address.

E.G. redirect http://sponsor.mycompany.com to https://sponsor.mycompany.com

Many thanks

Re: Sponsor Portal - HTTP to HTTPS Redirect

Jason Kunst — Mon, 08 Jan 2018 17:18:52 GMT

Have you setup the sponsor portal settings for the fqdn?

Does https://sponsor.domain.com work

I am pretty sure http would work if it’s setup

Re: Sponsor Portal - HTTP to HTTPS Redirect

Scott Gillies — Mon, 08 Jan 2018 18:03:09 GMT

Have you setup the sponsor portal settings for the fqdn? yes

Does https://sponsor.domain.com work? yes

HTTP is not setup but I have been told that you can setup the ISE to redirect an HTTP request to the equivalent HTTP. Would you know if this is correct? And how?

Re: Sponsor Portal - HTTP to HTTPS Redirect

Jason Kunst — Mon, 08 Jan 2018 18:26:06 GMT

Not sure what setup you’re referring to. It works just fine. There is no special setting needed. ISE does the redirect. I just tried it.

Are they perhaps blocking port 80 access to that IP?

Re: Sponsor Portal - HTTP to HTTPS Redirect

paul — Wed, 10 Jan 2018 22:39:25 GMT

You have a few challenges here. If your sponsor portal is running on a different cert than the admin cert you may have SSL issues if you start out https://sponsor.domain.com. That will go to the SSL cert used by admin, then get redirected to the FQDN you said. The connection to the admin cert may cause a SSL warning.

If you go to http://sponsor.domain.com you should get a clean redirection to the sponsor portal with no cert warning, except browsers like Chrome always go to SSL if they can and they will change to https://sponsor.domain.com even if you don't want it to.

Re: Sponsor Portal - HTTP to HTTPS Redirect

hslai — Wed, 10 Jan 2018 23:17:31 GMT

ISE 2.2 is enforcing HTTP Strict Transport Security so that the sponsors might get certificate warnings even with HTTP redirects. FYI.

Re: Sponsor Portal - HTTP to HTTPS Redirect

Scott Gillies — Thu, 11 Jan 2018 17:09:03 GMT

Thanks very much for your response. It has confirmed what I thought.

Is there any reason I should not tag the sponsor portal as "Admin" then?

Re: Sponsor Portal - HTTP to HTTPS Redirect

hslai — Thu, 11 Jan 2018 19:44:49 GMT

Some customers prefer separate certificates that are admin only from that are end-user facing.

Due to HTTP Strict Transport Security, if the deployment is ISE 2.2+, we need the cert used by admin able to match the sponsor portal FQDN so to be used by the sponsors with the friendly FQDN and without cert warning.