https://community.cisco.com/t5/network-access-control/cisco-ise-posture-redirection-http-amp-amp-https-on-nad-device/m-p/4948871#M584868 <P>On IOS-XE devices that don't require access to the web UI, it is recommended to use the following commands to prevent access to the web UI while still allowing the ISE redirect use cases:</P> <PRE class="lia-indent-padding-left-30px">ip http active-session-modules none<BR />ip http secure-active-session-modules none</PRE> <P>&nbsp;</P> Thu, 26 Oct 2023 12:58:17 GMT Charlie Moreton 2023-10-26T12:58:17Z https://community.cisco.com/t5/network-access-control/cisco-ise-posture-redirection-http-amp-amp-https-on-nad-device/m-p/4948418#M584865 <P>Hi,&nbsp;</P><P>We are having ISE 2.7 patch 9 and it is used for for endpoint posturing. For unknown clients posture reduction we have enabled the http and https redirection on cisco NAD switches.&nbsp;</P><P>But now we have reported http and https vulnerability from our SOC team and to disable the same.&nbsp;</P><P>Please suggest if there is any alternative way for redirection without enabling http &amp; https on NAD switches or else if there is any way to use http &amp; https without any impacting.&nbsp;</P> Thu, 26 Oct 2023 07:10:35 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-posture-redirection-http-amp-amp-https-on-nad-device/m-p/4948418#M584865 wavarevivek1 2023-10-26T07:10:35Z https://community.cisco.com/t5/network-access-control/cisco-ise-posture-redirection-http-amp-amp-https-on-nad-device/m-p/4948420#M584866 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1621738">@wavarevivek1</a> there are redirectionless posture options, you'd need to predeploy the call home server list to the clients:-</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html</A></P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/policy-access-management/220394-implementing-ise-redirectionless-posture.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/policy-access-management/220394-implementing-ise-redirectionless-posture.html</A></P> <P>&nbsp;</P> Thu, 26 Oct 2023 07:16:45 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-posture-redirection-http-amp-amp-https-on-nad-device/m-p/4948420#M584866 Rob Ingram 2023-10-26T07:16:45Z https://community.cisco.com/t5/network-access-control/cisco-ise-posture-redirection-http-amp-amp-https-on-nad-device/m-p/4948871#M584868 <P>On IOS-XE devices that don't require access to the web UI, it is recommended to use the following commands to prevent access to the web UI while still allowing the ISE redirect use cases:</P> <PRE class="lia-indent-padding-left-30px">ip http active-session-modules none<BR />ip http secure-active-session-modules none</PRE> <P>&nbsp;</P> Thu, 26 Oct 2023 12:58:17 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-posture-redirection-http-amp-amp-https-on-nad-device/m-p/4948871#M584868 Charlie Moreton 2023-10-26T12:58:17Z https://community.cisco.com/t5/network-access-control/cisco-ise-posture-redirection-http-amp-amp-https-on-nad-device/m-p/4954641#M585033 <P>The recommendation provided by <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/317086">@Charlie Moreton</a> is documented in <A href="https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-17/221144-cisco-tac-technical-faqs-for-cisco-ios-x.html" target="_self">Cisco TAC Technical FAQs for Cisco IOS XE Software Web UI Privilege Escalation Vulnerability - CVE-2023-20198</A> &gt; <A href="https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-17/221144-cisco-tac-technical-faqs-for-cisco-ios-x.html#toc-hId-1498375900" target="_blank">3. I am using Identity Services Engine (ISE) redirect use cases and can't disable the http/https servers. What can I do?</A></P> Tue, 07 Nov 2023 00:42:07 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-posture-redirection-http-amp-amp-https-on-nad-device/m-p/4954641#M585033 thomas 2023-11-07T00:42:07Z