https://community.cisco.com/t5/network-access-control/client-certificate-error-on-portal-redirect/m-p/4155326#M562948 <P>Hi Rob,</P><P>&nbsp;</P><P>As per my previous post, we are experiencing the same issue as the link below albeit on the LAN rather than WLC.&nbsp;</P><P>&nbsp;</P><P><A href="https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/td-p/3426840" target="_blank">https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/td-p/3426840</A></P><P>&nbsp;</P><P>Any ideas/suggestions on how to resolve this so the user experience is smooth?&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Tue, 22 Sep 2020 14:31:57 GMT InfraISE2020 2020-09-22T14:31:57Z https://community.cisco.com/t5/network-access-control/client-certificate-error-on-portal-redirect/m-p/4154842#M562929 <P><SPAN>We've created a policy on ISE so that users connecting to the LAN on non-corporate devices are redirected to a portal where they can enter their active directory credentials and connect to the network on the VLANX. The CWA redirect policy works however the clients get a certificate error as the switch they are connected to is presenting them with a self-signed certificate rather than the certificate assigned to the "default portal certificate group". Our network support team have confirmed that http active session modules have been disabled on the switch using the commands below: ip http secure-active-session-modules none ip http active-session-modules none.&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Has anyone come across this issue before and what did they do to resolve it? I've attached a copy of the initial DACL for reference.&nbsp;</SPAN></P> Mon, 21 Sep 2020 19:03:26 GMT https://community.cisco.com/t5/network-access-control/client-certificate-error-on-portal-redirect/m-p/4154842#M562929 InfraISE2020 2020-09-21T19:03:26Z https://community.cisco.com/t5/network-access-control/client-certificate-error-on-portal-redirect/m-p/4154890#M562930 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1008639">@InfraISE2020</a>&nbsp;</P> <P>HTTPS redirection is not recommended for production environments because of the following reasons:</P> <UL> <LI>&nbsp;<STRONG>Security concern</STRONG>-HTTPS redirection is intended to hijack a secure web connection initiated by an endpoint, which is not a good idea.</LI> <LI><STRONG>Failure to work</STRONG>-Most web browsers block intercepted HTTPS connections.</LI> <LI><STRONG>Certificate warnings</STRONG>-Even if web browsers allow access, there can be certificate warnings because the switch presents its own certificate for TLS handshake.</LI> <LI><STRONG>Scalability issues</STRONG>-Multiple HTTPS redirections can overload the switch CPU there by degrading the Switch performance</LI> </UL> <P><A href="https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_self">https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515</A></P> <P>&nbsp;</P> <P>If you don't use HTTPS redirect then you won't receive the certificate presented by the switch nor the error.</P> <P>&nbsp;</P> <P>HTH</P> Mon, 21 Sep 2020 20:44:44 GMT https://community.cisco.com/t5/network-access-control/client-certificate-error-on-portal-redirect/m-p/4154890#M562930 Rob Ingram 2020-09-21T20:44:44Z https://community.cisco.com/t5/network-access-control/client-certificate-error-on-portal-redirect/m-p/4155147#M562940 <P>Hi Rob,</P><P>&nbsp;</P><P>Thanks for the quick reply.</P><P>&nbsp;</P><P>I'm a little confused as the only ports available on the portal configuration are for HTTPS (8000 - 8999).&nbsp;</P><P>&nbsp;</P><P>Are you saying that we can run&nbsp;<STRONG><SPAN class="keyword kwd">no&nbsp;ip&nbsp;</SPAN><SPAN class="keyword kwd">http&nbsp;s</SPAN></STRONG><SPAN class="keyword kwd"><STRONG>ecure-server</STRONG> on our switches and the URL redirect will still work?</SPAN></P><P>&nbsp;</P><P><SPAN class="keyword kwd">Thanks</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 22 Sep 2020 09:30:06 GMT https://community.cisco.com/t5/network-access-control/client-certificate-error-on-portal-redirect/m-p/4155147#M562940 InfraISE2020 2020-09-22T09:30:06Z https://community.cisco.com/t5/network-access-control/client-certificate-error-on-portal-redirect/m-p/4155156#M562941 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1008639">@InfraISE2020</a>&nbsp;</P> <P>The switch itself does not need to be listening on the port you are using in the ISE portals. You just need to enable http server, which will redirect tcp/80 traffic to the ISE portal. Yes, you can use that command to disable https, as long as "ip http server" is enabled.</P> <P>&nbsp;</P> <P>HTH</P> Tue, 22 Sep 2020 09:42:04 GMT https://community.cisco.com/t5/network-access-control/client-certificate-error-on-portal-redirect/m-p/4155156#M562941 Rob Ingram 2020-09-22T09:42:04Z https://community.cisco.com/t5/network-access-control/client-certificate-error-on-portal-redirect/m-p/4155212#M562945 <P>thanks Rob, the switch certificate error has now disappeared.</P><P>&nbsp;</P><P>The issue we now face is that users are only redirected to the portal if they browse to a http website, having an https website as their homepage and opening the browser doesn't automatically redirect them to the portal, any ideas?&nbsp;</P><P>&nbsp;</P> Tue, 22 Sep 2020 11:49:49 GMT https://community.cisco.com/t5/network-access-control/client-certificate-error-on-portal-redirect/m-p/4155212#M562945 InfraISE2020 2020-09-22T11:49:49Z https://community.cisco.com/t5/network-access-control/client-certificate-error-on-portal-redirect/m-p/4155326#M562948 <P>Hi Rob,</P><P>&nbsp;</P><P>As per my previous post, we are experiencing the same issue as the link below albeit on the LAN rather than WLC.&nbsp;</P><P>&nbsp;</P><P><A href="https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/td-p/3426840" target="_blank">https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/td-p/3426840</A></P><P>&nbsp;</P><P>Any ideas/suggestions on how to resolve this so the user experience is smooth?&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Tue, 22 Sep 2020 14:31:57 GMT https://community.cisco.com/t5/network-access-control/client-certificate-error-on-portal-redirect/m-p/4155326#M562948 InfraISE2020 2020-09-22T14:31:57Z https://community.cisco.com/t5/network-access-control/client-certificate-error-on-portal-redirect/m-p/4155632#M562968 <P>Please re-read Rob's original answer about Concerns, Warnings and Failures. Browsers won't do it.</P> Wed, 23 Sep 2020 04:28:04 GMT https://community.cisco.com/t5/network-access-control/client-certificate-error-on-portal-redirect/m-p/4155632#M562968 thomas 2020-09-23T04:28:04Z https://community.cisco.com/t5/network-access-control/client-certificate-error-on-portal-redirect/m-p/4155665#M562970 <P>Hi Thomas,</P><P>&nbsp;</P><P>I’m not sure robs reply answers my question re the browser redirection.</P><P>&nbsp;</P><P>If we disable HTTPS redirection on the switch, how do we get users to the portal page as ISE will only allow us to set the portal port to HTTPS? Currently the only way for users to reach it is to browse to a HTTP webpage manually, this is not a good user experience.&nbsp;</P><P>&nbsp;</P><P>Looking at other posts it seems that the redirection works with a WLC so surely this is achievable on the LAN?&nbsp;</P> Wed, 23 Sep 2020 06:06:03 GMT https://community.cisco.com/t5/network-access-control/client-certificate-error-on-portal-redirect/m-p/4155665#M562970 InfraISE2020 2020-09-23T06:06:03Z