topic Re: ISE dotx1 - Outlook Security Alert(Untrusted Server Certificate) in Network Access Control

ISE Dot1x - Outlook Security Alert(Untrusted Server Certificate)

Anis Gharbi — Fri, 21 Feb 2020 18:38:31 GMT

Hello Everyone,

We are integrating Cisco ISE in new environment to use radius AAA Services (dot1x, MAB...).

When we connect a windows domain machine to the network on a dot1x port, an Outlook Security Alert "Untrusted Server Certificate" appears. We have looked at the certificate we found the Self Signed Certificate of the switch on which we are connected.

Here some screenshots of the certificate error

Can you help me to know the root cause of this security alert and why the outlook is showing the Self Signed Certificate of the switch ?

Thanks

Anis GHARBI

Re: ISE dotx1 - Outlook Security Alert(Untrusted Server Certificate)

agrissimanis — Thu, 09 Nov 2017 10:27:54 GMT

This is probably because your endpoint is hitting Guest webauth redirection rule and confusing Outlook. What is the output of the show authentication sessions int <interface> detail when the issue happens? What are your port configs and ISE policies?

Re: ISE dotx1 - Outlook Security Alert(Untrusted Server Certificate)

Anis Gharbi — Thu, 09 Nov 2017 10:34:33 GMT

Yes we have webauth redirection configured on the switch port to redirect guests to captive portal as a third auth method.

Here the port config:

interface FastEthernet0/8
description dot1X/mab test port
switchport mode access
authentication event fail action next-method
authentication host-mode multi-domain
authentication open
authentication order dot1x mab webauth
authentication priority dot1x mab webauth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
!

Re: ISE dotx1 - Outlook Security Alert(Untrusted Server Certificate)

Anis Gharbi — Thu, 09 Nov 2017 10:47:02 GMT

At the phase of 802.1x authentication and authorization the employees are redirected to the web posture portal to check the compliance. I think for that reason the there a redirection of the web traffic from Microsoft outlook to the Exchange server.

Re: ISE dotx1 - Outlook Security Alert(Untrusted Server Certificate)

agrissimanis — Thu, 09 Nov 2017 10:55:30 GMT

Yes, posture redirect could cause the same issue. One way of fixing this would be to modify your redirection ACL to exclude Outlook traffic from being redirected, if acceptable.

Not related to this issue, but I would suggest not to use local webauth (that third option in "authentication priority dot1x mab webauth" command), that is the old way of doing things. If you can use central webauth.

Re: ISE dotx1 - Outlook Security Alert(Untrusted Server Certificate)

brockpete — Mon, 22 Jan 2018 13:54:49 GMT

I'm having the same issue and I'm having difficulty finding a way to exclude Outlook traffic from redirection. It would be simple if the customer used an internal web server, however, this enterprise uses Microsoft Office 365 which can connect to a variety of online servers. The list of possible DNS resolution IPs is a mile long and continually changing. Any ideas?

Re: ISE dotx1 - Outlook Security Alert(Untrusted Server Certificate)

konsecioner — Wed, 07 Mar 2018 18:53:05 GMT

Hello,

have you found a solution how to prevent outlook 365 traffic to be redirected to ISE?

thanks,

Neil

Re: ISE dotx1 - Outlook Security Alert(Untrusted Server Certificate)

apatel2489 — Fri, 18 May 2018 14:45:59 GMT

HI Dear,

can you please let me know how to make changes on posture rule?

i am having same issue and tried to allow mailserver IP address on posture but still same issue

Re: ISE dotx1 - Outlook Security Alert(Untrusted Server Certificate)

brockpete — Wed, 23 May 2018 12:52:35 GMT

Cisco does not have an answer to this particular issue when an organization uses Office 365 since external Microsoft IP addresses and URLs are constantly evolving.

The workaround that was decided on for the enterprise I am working on was to only redirect traffic to the portal when a user attempts to access an internal website. The redirect ACL only includes the internal website address range and the dynamic ACL from ISE blocks external traffic until authenticated. This will prevent the Outlook certificate issue from occurring. This is far from ideal, but Cisco has yet to provide any information on a permanent fix to this issue.

Re: ISE dotx1 - Outlook Security Alert(Untrusted Server Certificate)

apatel2489 — Wed, 23 May 2018 14:05:14 GMT

Thanks for your reply

i dont have office 365. i do have exchange server on premises.

Re: ISE dotx1 - Outlook Security Alert(Untrusted Server Certificate)

brockpete — Wed, 23 May 2018 14:09:08 GMT

Then your solution is much more simple. All you need to do is exclude your exchange server IPs from the redirect ACL and block the IP on the dynamic access list in ISE for the portal.

Re: ISE dotx1 - Outlook Security Alert(Untrusted Server Certificate)

apatel2489 — Wed, 23 May 2018 14:13:35 GMT

i do have ISE-Redirect ACL which is deny for bootpc , domain and ISE and allow for www and 443 then deny everything and i did allow exchange server on this list. the dynamic ip access list where i am confused.