cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

116
Views
0
Helpful
3
Replies
Highlighted
Cisco Employee

Combining ISE redirection with web proxy on non-standard port?

Dear Cisco ISE Community,

 

I’m looking for a suggestion, or a best practice, to effectively combine the redirection to ISE Captive Portal with the usage of a web proxy, on a non-standard port.

 

Are you aware of any indication on this topic?

 

Here are some more details on my question.

I’m supporting a customer who has a corporate web proxy, on port 8080.

They would like to setup a redirection rule in their network, so that, if an external computer (e.g. owned by an external contractor) connects to their network, it is automatically redirected to the ISE captive portal.

The external computers, likely, don’t have any proxy configured yet, so they will try to make a browsing request to port 80. Therefore, the redirection on the switches should be configured to operate on this port.

However, depending on the browser and the operating system, every computer could try to access different kinds of URLs, in the first browsing request… Every URL should also be configured in the network as an “exclusion”, to allow access internet without proxy, and it’s a bit difficult to foresee all the possible URLs to allow…

Has anyone encountered the same kind or issues?

 

Please feel free to ask for more details if needed.

Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions
Rising star

Re: Combining ISE redirection with web proxy on non-standard port?

The URL request from the client will never make it past the access switch so you don't have to worry about bypassing the proxy for whatever URL they are going to initially.  Yes, you do need the http server running on the switch; however, the switch doesn't actually accept HTTP requests for redirection.  You can disable all of the session-modules for HTTP.  It only sends a response back to the client spoofing the original destination IP to make the client redirect.  I would think that this would be a major issue if it operated the way you are thinking.  Because there are all sorts of possible proxy configurations on clients.  I think the "ip http port" command really just controls what port the session-modules will listen on for normal HTTP server operations.  But redirection isn't a normal HTTP server.

Maybe someone from the BU can clarify.

View solution in original post

3 REPLIES 3
Rising star

Re: Combining ISE redirection with web proxy on non-standard port?

Maybe I am reading your question wrong but I don't see a problem with the ISE redirection piece of this.  The redirect ACL controls what is actually redirected to ISE.  It doesn't matter what URL's they attempt to go to as long as those destinations are not covered by a "deny" statement in your redirect ACL on a switch (WLC would be a permit).  For example, here is a basic redirect ACL for a switch:

deny udp any any eq domain

deny udp any any eq bootps

deny ip any <ISE PSN>

permit ip any any

The permit IP any any would catch any request from those computers and redirect to the ISE PSN.  The bigger problem I see potentially is how you handle the proxy for these users.  Once they hit ISE and are authenticated, do you want them to go through the proxy?  Or not?  If not, then you would need to make sure your firewall allows the outgoing requests on 80/443 from the subnets that these contractors are on.  If everything is redirected through the proxy by WCCP or similar, then you would need to create an exception/allow in your proxy for the subnets.

Does that help?  Or did I totally misinterpret your question?

Cisco Employee

Re: Combining ISE redirection with web proxy on non-standard port?

Hello Colby,

I believe that the switch should also run the HTTP server, in order to correctly intercept and redirect the HTTP browsing requests from the client.

And, in order to do so, only one port can be set, so it can be either 80 or 8080, in my case.

Therefore, the problem is that not all browsing requests can be redirected, but only the ones that are going to a specific port.

So, the most convenient choice seems to be redirecting port 80, i.e. assuming that the contractor's computers don't have any proxy setup yet.

Hence, the headache is: finding out what URL should be allowed to bypass the proxy...

 

Please let me know if I misunderstood anything.

Thank you.

 

Rising star

Re: Combining ISE redirection with web proxy on non-standard port?

The URL request from the client will never make it past the access switch so you don't have to worry about bypassing the proxy for whatever URL they are going to initially.  Yes, you do need the http server running on the switch; however, the switch doesn't actually accept HTTP requests for redirection.  You can disable all of the session-modules for HTTP.  It only sends a response back to the client spoofing the original destination IP to make the client redirect.  I would think that this would be a major issue if it operated the way you are thinking.  Because there are all sorts of possible proxy configurations on clients.  I think the "ip http port" command really just controls what port the session-modules will listen on for normal HTTP server operations.  But redirection isn't a normal HTTP server.

Maybe someone from the BU can clarify.

View solution in original post