topic We have it on a separate in Network Access Control

ISE Hotspot / Captive Web Portal with HTTP (not HTTPS)?

Toivo Voll — Mon, 11 Mar 2019 06:09:03 GMT

We're setting up an ISE PoC for a hotspot (guests get redirected to an AUP page, and have to click "accept") and was wondering whether HTTPS (and certs, cert chains and all that stuff) is really necessary for this.

Perhaps I'm missing something obvious, but since there's no actual information (passwords, emails, names) being transferred, what's the need for HTTPS? Is there any way to allow plain old HTTP to the portal?

Right now this is not

Antonio Torres — Thu, 15 Oct 2015 13:22:04 GMT

Right now this is not possible. ISE is a security appliance and HTTP support for Portal flows isn't even on the roadmap.

But that's actually a good point. I can see some room for an enhancement request to have the ability to disable HTTPS on HotSpots flows if there is no access code enabled(optional) since there are no credentials to protect during this stage.

Thanks for the response.That

Toivo Voll — Thu, 15 Oct 2015 13:35:34 GMT

Thanks for the response.

That's our use case; we only need users to agree to an AUP. There's just the "accept" button, no email field, no pin or anything else.

The challenge is that the clients are in private IP space but rely on public DNS, so as far as I can tell either we have to expose the ISE portal interface to the Internet, publish a public DNS record pointing at RFC1918 space or we can't have a valid cert for the guest portal. (Or we have to re-engineer guest DNS to allow for split views, but that's a different group and involves buying things.)

If you go with exposing ISE

Antonio Torres — Thu, 15 Oct 2015 13:41:49 GMT

If you go with exposing ISE you may select a dedicated interface for the HotSpot portal and even modify the port we'll be listening on to avoid exposing other flows and management access as well.

We have it on a separate

Toivo Voll — Thu, 15 Oct 2015 13:44:29 GMT

We have it on a separate interface currently, but I'm still looking for documentation on how to, or whether it's possible to restrict it to guest portal flows only / ACL it within the ISE.

I can see that from the Linux

Antonio Torres — Thu, 15 Oct 2015 13:55:29 GMT

I can see that from the Linux side but from ISE application side there is no way you can restrict this based on the interface you're hitting.