Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1117
Views
0
Helpful
3
Replies

Combining ISE redirection with web proxy on non-standard port?

Go to solution
pglave
Cisco Employee
Cisco Employee

‎09-16-2019 07:50 AM

Dear Cisco ISE Community,

 

I’m looking for a suggestion, or a best practice, to effectively combine the redirection to ISE Captive Portal with the usage of a web proxy, on a non-standard port.

 

Are you aware of any indication on this topic?

 

Here are some more details on my question.

I’m supporting a customer who has a corporate web proxy, on port 8080.

They would like to setup a redirection rule in their network, so that, if an external computer (e.g. owned by an external contractor) connects to their network, it is automatically redirected to the ISE captive portal.

The external computers, likely, don’t have any proxy configured yet, so they will try to make a browsing request to port 80. Therefore, the redirection on the switches should be configured to operate on this port.

However, depending on the browser and the operating system, every computer could try to access different kinds of URLs, in the first browsing request… Every URL should also be configured in the network as an “exclusion”, to allow access internet without proxy, and it’s a bit difficult to foresee all the possible URLs to allow…

Has anyone encountered the same kind or issues?

 

Please feel free to ask for more details if needed.

Thank you.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to pglave

‎09-16-2019 01:15 PM

The URL request from the client will never make it past the access switch so you don't have to worry about bypassing the proxy for whatever URL they are going to initially.  Yes, you do need the http server running on the switch; however, the switch doesn't actually accept HTTP requests for redirection.  You can disable all of the session-modules for HTTP.  It only sends a response back to the client spoofing the original destination IP to make the client redirect.  I would think that this would be a major issue if it operated the way you are thinking.  Because there are all sorts of possible proxy configurations on clients.  I think the "ip http port" command really just controls what port the session-modules will listen on for normal HTTP server operations.  But redirection isn't a normal HTTP server.

Maybe someone from the BU can clarify.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎09-16-2019 08:18 AM

Maybe I am reading your question wrong but I don't see a problem with the ISE redirection piece of this.  The redirect ACL controls what is actually redirected to ISE.  It doesn't matter what URL's they attempt to go to as long as those destinations are not covered by a "deny" statement in your redirect ACL on a switch (WLC would be a permit).  For example, here is a basic redirect ACL for a switch:

deny udp any any eq domain

deny udp any any eq bootps

deny ip any <ISE PSN>

permit ip any any

The permit IP any any would catch any request from those computers and redirect to the ISE PSN.  The bigger problem I see potentially is how you handle the proxy for these users.  Once they hit ISE and are authenticated, do you want them to go through the proxy?  Or not?  If not, then you would need to make sure your firewall allows the outgoing requests on 80/443 from the subnets that these contractors are on.  If everything is redirected through the proxy by WCCP or similar, then you would need to create an exception/allow in your proxy for the subnets.

Does that help?  Or did I totally misinterpret your question?

0 Helpful

Go to solution
pglave
Cisco Employee
Cisco Employee
In response to Colby LeMaire

‎09-16-2019 11:27 AM

Hello Colby,

I believe that the switch should also run the HTTP server, in order to correctly intercept and redirect the HTTP browsing requests from the client.

And, in order to do so, only one port can be set, so it can be either 80 or 8080, in my case.

Therefore, the problem is that not all browsing requests can be redirected, but only the ones that are going to a specific port.

So, the most convenient choice seems to be redirecting port 80, i.e. assuming that the contractor's computers don't have any proxy setup yet.

Hence, the headache is: finding out what URL should be allowed to bypass the proxy...

 

Please let me know if I misunderstood anything.

Thank you.

 

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to pglave

‎09-16-2019 01:15 PM

The URL request from the client will never make it past the access switch so you don't have to worry about bypassing the proxy for whatever URL they are going to initially.  Yes, you do need the http server running on the switch; however, the switch doesn't actually accept HTTP requests for redirection.  You can disable all of the session-modules for HTTP.  It only sends a response back to the client spoofing the original destination IP to make the client redirect.  I would think that this would be a major issue if it operated the way you are thinking.  Because there are all sorts of possible proxy configurations on clients.  I think the "ip http port" command really just controls what port the session-modules will listen on for normal HTTP server operations.  But redirection isn't a normal HTTP server.

Maybe someone from the BU can clarify.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents