https://community.cisco.com/t5/wireless/wlc-redirect-traffic-with-intercept-make-problem-to-https-site/m-p/3220805#M105488 <P>WLC 2504, AireOS 8.0.152.0</P> <P>ISE 2.1 with CWA redirect</P> <P>Client Android Samsung S4 and iOS iPhone 6s</P> <P>&nbsp;</P> <P>Problem is, that WLC trying to intercept https redirected session with SSL certificate issued to its virtual interface 192.0.2.1.</P> <P>And nowadays end points do not accept it and deal it as man-in-the-middle-attack.</P> <P>&nbsp;</P> <P>So when I do ISE BYOD onboarding on android, i have problem to get redirection from https sites, and also have problem to access play.google.com for Cisco Network Setup Assistant download.</P> <P>NET::ERR_CERT_AUTHORITY_INVALID</P> <P>&nbsp;</P> <P>How should I command wlc to do not intercept https traffic with its own certification?</P> <P>&nbsp;</P> <P>thank you for any advice.</P> Mon, 05 Jul 2021 14:54:17 GMT Filip Po 2021-07-05T14:54:17Z https://community.cisco.com/t5/wireless/wlc-redirect-traffic-with-intercept-make-problem-to-https-site/m-p/3220805#M105488 <P>WLC 2504, AireOS 8.0.152.0</P> <P>ISE 2.1 with CWA redirect</P> <P>Client Android Samsung S4 and iOS iPhone 6s</P> <P>&nbsp;</P> <P>Problem is, that WLC trying to intercept https redirected session with SSL certificate issued to its virtual interface 192.0.2.1.</P> <P>And nowadays end points do not accept it and deal it as man-in-the-middle-attack.</P> <P>&nbsp;</P> <P>So when I do ISE BYOD onboarding on android, i have problem to get redirection from https sites, and also have problem to access play.google.com for Cisco Network Setup Assistant download.</P> <P>NET::ERR_CERT_AUTHORITY_INVALID</P> <P>&nbsp;</P> <P>How should I command wlc to do not intercept https traffic with its own certification?</P> <P>&nbsp;</P> <P>thank you for any advice.</P> Mon, 05 Jul 2021 14:54:17 GMT https://community.cisco.com/t5/wireless/wlc-redirect-traffic-with-intercept-make-problem-to-https-site/m-p/3220805#M105488 Filip Po 2021-07-05T14:54:17Z https://community.cisco.com/t5/wireless/wlc-redirect-traffic-with-intercept-make-problem-to-https-site/m-p/3220949#M105489 <P>&nbsp;</P> <P>Did you try to enable https redirection ? if not then give a try.</P> <PRE><SPAN>config network web-auth https-redirect enable</SPAN></PRE> <P>&nbsp;</P> <P>Check this:</P> <P><A href="https://supportforums.cisco.com/t5/wireless-mobility-documents/understanding-https-redirect-over-web-auth/ta-p/3143359" target="_blank">https://supportforums.cisco.com/t5/wireless-mobility-documents/understanding-https-redirect-over-web-auth/ta-p/3143359</A></P> <P>&nbsp;</P> <P>Regards</P> <P>Dont forget to rate helpful posts</P> Wed, 22 Nov 2017 14:33:42 GMT https://community.cisco.com/t5/wireless/wlc-redirect-traffic-with-intercept-make-problem-to-https-site/m-p/3220949#M105489 Sandeep Choudhary 2017-11-22T14:33:42Z https://community.cisco.com/t5/wireless/wlc-redirect-traffic-with-intercept-make-problem-to-https-site/m-p/3220971#M105490 <P>Yes, I follow design guide and also this <A href="https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118826-config-https-webauth-00.html" target="_blank">document</A>.</P> <P>But instead use local web-auth I am using CWA on ISE.</P> <P>Dual-SSID BYOD.</P> <P>&nbsp;</P> <P><FONT face="courier new,courier">Web Auth CMCC Support ...................... Disabled</FONT><BR /><FONT face="courier new,courier">Web Auth Redirect Ports .................... 80</FONT><BR /><FONT face="courier new,courier">Web Auth Proxy Redirect ................... Disable</FONT><BR /><FONT face="courier new,courier">Web Auth Captive-Bypass .................. Enable</FONT><BR /><FONT face="courier new,courier">Web Auth Secure Web ....................... Enable</FONT><BR /><FONT face="courier new,courier">Web Auth Secure Redirection ............... Enable</FONT><BR /><FONT face="courier new,courier">Fast SSID Change ........................... Enabled</FONT></P> Wed, 22 Nov 2017 15:00:24 GMT https://community.cisco.com/t5/wireless/wlc-redirect-traffic-with-intercept-make-problem-to-https-site/m-p/3220971#M105490 Filip Po 2017-11-22T15:00:24Z https://community.cisco.com/t5/wireless/wlc-redirect-traffic-with-intercept-make-problem-to-https-site/m-p/3222529#M105491 <P>Due to the impact on performance and the usability issues like you described, it is actually recommended to keep https redirect disabled. You can undo this behavior with the "config network web-auth https-redirect disable" command. It is some time ago that I have worked with ISE's on-boarding procedure and I'm not trying to scare you, but I foresee another issue when you perform this change.<BR /><BR />The challenge you might run into is that, since you have the "captive-bypass" feature enabled, Apple iPhones and iPads won't automatically launch their "mini browser" anymore to open the portal page. This means that users themselves need to open their (regular) browser and manually request a random webpage; big change that will be a https only webpage which will no longer be redirected by the controller. Disabling the "captive-bypass" feature won't help since those same iPhones and iPads won't post their agent information when using the "mini browser", making the on-boarding procedure stop (unsupported device). <BR /><BR />Like I said earlier my experience with this on-boarding procedure is a little rusty, but it seems that Cisco has been working on this topic in the meantime. In <A href="https://communities.cisco.com/docs/DOC-71469" target="_blank">this document</A> the different options to tackle this issue are documented and also <A href="https://communities.cisco.com/docs/DOC-71398" target="_blank">this topic</A> might be informative for you as well. Keep us posted on your findings and good luck!<BR /><BR /><EM>Please rate useful posts... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></EM></P> Sun, 26 Nov 2017 00:57:58 GMT https://community.cisco.com/t5/wireless/wlc-redirect-traffic-with-intercept-make-problem-to-https-site/m-p/3222529#M105491 Freerk Terpstra 2017-11-26T00:57:58Z