https://community.cisco.com/t5/network-security/acl-to-block-web-gui-access-but-allow-ise-redirection/m-p/4950899#M1105439 <P>You can configure the switch per the Best Practices to mitigate the vulnerability.</P> <P>As noted in the ISE Secure Wired Access Prescriptive Design Guide:</P> <P>Switch’s internal HTTP/HTTPS server is used for redirection process and its highly encouraged to decouple this service from Switch Management if HTTP/HTTPS isn’t used for Switch Management. You can accomplish this using below CLI’s:</P> <PRE>c9300-Sw(config)#ip http active-session-modules none c9300-Sw(config)#ip http secure-active-session-modules none</PRE> <P><A href="https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--1376429527" target="_blank">https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--1376429527</A>&nbsp;</P> Mon, 30 Oct 2023 13:40:37 GMT Marvin Rhoads 2023-10-30T13:40:37Z https://community.cisco.com/t5/network-security/acl-to-block-web-gui-access-but-allow-ise-redirection/m-p/4949955#M1105414 <P>Hi all,<BR /><BR />I need some assistance with ALC's<BR />So my goal is to have an ACL that blocks access to the switches web gui BUT allows an ISE URL redirection for our guest users.<BR />In order for the redirect we need to have the http and http secure-server active,<BR />This is in relation to bug&nbsp;<SPAN>CSCwh87343</SPAN><BR />On our devices we have an ACL for web redirect that allows anyone to access http and 443 so here in lies the rub...<BR />If anyone has any thoughts that could point me in the right direction that would be great.<BR /><BR /></P> Fri, 27 Oct 2023 21:40:56 GMT https://community.cisco.com/t5/network-security/acl-to-block-web-gui-access-but-allow-ise-redirection/m-p/4949955#M1105414 S Leigh 2023-10-27T21:40:56Z https://community.cisco.com/t5/network-security/acl-to-block-web-gui-access-but-allow-ise-redirection/m-p/4949959#M1105415 <P>Cisco has started rolling out patch already for the bug you mentioned</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-dublin-17121/221128-software-fix-availability-for-cisco-ios.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-dublin-17121/221128-software-fix-availability-for-cisco-ios.html</A></P> <P>For the guest along with redirect ACL force a dacl from ise that allows port 8443 access to ISE and DNS and deny everything else.</P> Fri, 27 Oct 2023 22:42:36 GMT https://community.cisco.com/t5/network-security/acl-to-block-web-gui-access-but-allow-ise-redirection/m-p/4949959#M1105415 Ambuj M 2023-10-27T22:42:36Z https://community.cisco.com/t5/network-security/acl-to-block-web-gui-access-but-allow-ise-redirection/m-p/4950899#M1105439 <P>You can configure the switch per the Best Practices to mitigate the vulnerability.</P> <P>As noted in the ISE Secure Wired Access Prescriptive Design Guide:</P> <P>Switch’s internal HTTP/HTTPS server is used for redirection process and its highly encouraged to decouple this service from Switch Management if HTTP/HTTPS isn’t used for Switch Management. You can accomplish this using below CLI’s:</P> <PRE>c9300-Sw(config)#ip http active-session-modules none c9300-Sw(config)#ip http secure-active-session-modules none</PRE> <P><A href="https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--1376429527" target="_blank">https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--1376429527</A>&nbsp;</P> Mon, 30 Oct 2023 13:40:37 GMT https://community.cisco.com/t5/network-security/acl-to-block-web-gui-access-but-allow-ise-redirection/m-p/4950899#M1105439 Marvin Rhoads 2023-10-30T13:40:37Z