topic Re: ISE Guest CWA and HTTPS redirection in Network Access Control

ISE Guest CWA and HTTPS redirection

Ling Yang — Mon, 27 Mar 2017 09:58:23 GMT

Hi Experts,

Since WLC 8.0 it starts to support HTTPS redirection for CWA, post WLC v8.0 the HTTPS redirect is supported but there are concerns about WLC performance by handling large amount of SSL traffic. As a result , the ISE Guest CWA redirection function heavily now relies on initiating connections to HTTP URL. As more and more web sites are now HTTPS enabled what is the best practice to handle this design? do we have to pick between performance hit by enabling HTTPS redirection on WLC, or force guest to find a HTTP website?

Any guidance is much appreciated!

Ling Yang

Re: ISE Guest CWA and HTTPS redirection

Jason Kunst — Mon, 27 Mar 2017 20:23:01 GMT

Since ISE 2.2 we support Apple captive portal detection for guest, we should promote that instead so users aren’t forced to open up the browser on their own which might have HTTPS based home page.

ISE 2.2 Apple CNA (Captive Network Assistant) Mini-Browser for BYOD/Guest

For enabling

Configuration:

There is a special command on WLC – (WLC)>config network web-auth https-redirect enable

Supported from CUWN firmware version 8.0

You can enable via GUI by going to MANAGEMENT -> HTTP-HTTPS > HTTPS Redirection ‘Enabled’. I think there was a WLC version where the GUI didn’t configure it properly, but seems to have been fixed now.

Configure HTTPS Redirect over Web-auth - Cisco

HTTPS redirect is not a good idea

a) it is evil (you are attempting to hijack a secure connection)
b) it won't work (clients will block your evil hijack attempt)
c) it doesn't scale (generating a forged SSL hijack session for each port 443 connection from each client is a lot of processing requirement) CSCuu78888 Web GUI unresponsive after HTTPS-redirect enabled

d) certificate warnings

Here are couple decent write-ups on topic, as you can see its not just a Cisco issue:

http://community.arubanetworks.com/t5/Technology-Blog/Captive-Portal-why-do-I-get-those-certificate-warnings/ba-p/268921

https://medium.com/@padam.singh/https-based-redirection-and-wi-fi-captive-portals-92cc98a22981

For employees using captive portal inside the organization, the one solution is to have them set their home page to the organization’s internal landing page.

For general guest users, many are built with captive portal detection and will trigger their own browser to avoid commercial browser with an https home page. Therefore, it is desirable to have portal bypass enabled to avoid such errors. Also see suggestion to actually block https in redirect state to deny access until CNA or other http request can trigger redirect.

Re: ISE Guest CWA and HTTPS redirection

murat001 — Mon, 11 Dec 2017 08:46:38 GMT

i have the same redirect problem on WLC 5700.

these command does not exist on 5700.

config network web-auth captive-bypass {enable | disable}

config network web-auth https-redirect enable

how can i do this cwa redirect apple device for 5700

Re: ISE Guest CWA and HTTPS redirection

Jason Kunst — Mon, 11 Dec 2017 13:33:44 GMT

I would suggest you query the wireless team for their command issues

Also we don’t recommend https redirection

Re: ISE Guest CWA and HTTPS redirection

Anton Kistruga — Thu, 21 Dec 2017 13:34:41 GMT

Hi!

There is no this command due to WLC 5760 has IOS XE Software, but not AirOS as on WLC 2504,5520, etc.

Try to enable https by command "ip http secure-server" in conf t.

Thank you!

Re: ISE Guest CWA and HTTPS redirection

fabianwickman — Thu, 13 Sep 2018 13:36:08 GMT

Hi,

We have a similar problem, but are not that worried about ssl-traffic handled by the wlc.

However since the wlc needs to establish a ssl-connection with the client to be able to redirect it to the ISE for login, we get a certificate error on clients not using the apple captive portal detection.

Since the client is sending a GET to, ex Cisco.com and the WLC:s certificate is not issued to cisco.com, you will get a certificate warning when opening your browser on the guest wifi - ie. ISE-CWA.

A workaround is disabling captive bypass, but what about non- apple clients?

Re: ISE Guest CWA and HTTPS redirection

Jason Kunst — Thu, 13 Sep 2018 15:42:09 GMT

I don't see any issues using a well known cert on ISE with the Apple Mini Browsers and redirect. Its not recommended to use https redirect because of these issues. https://community.cisco.com/t5/identity-services-engine-ise/ise-guest-cwa-and-https-redirection/td-p/3583892

Re: ISE Guest CWA and HTTPS redirection

fabianwickman — Mon, 01 Oct 2018 07:46:08 GMT

We have a well known certificate(DigiCert) installed in our ISE-environment configured to be used as the web-auth certificate.

The issue we face in the central web auth is that it is the WLC that sends it's certificate to the client before the client hits the ISE-portal. The WLC has a self signed certificate which of course is not trusted by the client.

If you click "trust" on the wlc-certificate the client continues to the ISE-portal and gets the ISE-certificate.

So my question is, do you need a well known certificate on both the WLC and the ISE for cwa?

Re: ISE Guest CWA and HTTPS redirection

ognyan.totev — Mon, 01 Oct 2018 09:31:41 GMT

No , you need only on ISE Side

Re: ISE Guest CWA and HTTPS redirection

Filippo Zangheri — Thu, 13 Feb 2020 17:05:00 GMT

@fabianwickman wrote:
We have a well known certificate(DigiCert) installed in our ISE-environment configured to be used as the web-auth certificate.
The issue we face in the central web auth is that it is the WLC that sends it's certificate to the client before the client hits the ISE-portal. The WLC has a self signed certificate which of course is not trusted by the client.
If you click "trust" on the wlc-certificate the client continues to the ISE-portal and gets the ISE-certificate.

So my question is, do you need a well known certificate on both the WLC and the ISE for cwa?

Hi Stefan, hitting the very same issue here. Have you found a solution?

Re: ISE Guest CWA and HTTPS redirection

fabianwickman — Fri, 14 Feb 2020 08:45:16 GMT

Hi,

We found that disabling “captive bypass enable” solved the issue.
So that the client uses it’s built in function for detecting a web portal.
I don’t know why, but that solved the issue.