cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

12269
Views
1
Helpful
8
Replies
Highlighted
Cisco Employee

ISE Guest CWA and HTTPS redirection

Hi Experts,

Since WLC 8.0 it starts to support HTTPS redirection for CWA, post WLC v8.0 the HTTPS redirect is supported but there are concerns about WLC performance by handling large amount of SSL traffic.  As a result , the ISE Guest CWA redirection function heavily now relies on initiating connections to HTTP URL. As more and more web sites are now HTTPS enabled what is the best practice to handle this design? do we have to pick between performance hit by enabling HTTPS redirection on WLC, or force guest to find a HTTP website?

Any guidance is much appreciated!

Ling Yang

Everyone's tags (5)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: ISE Guest CWA and HTTPS redirection

Since ISE 2.2 we support Apple captive portal detection for guest, we should promote that instead so users aren’t forced to open up the browser on their own which might have HTTPS based home page.


ISE 2.2 Apple CNA (Captive Network Assistant) Mini-Browser for BYOD/Guest


For enabling

Configuration:

There is a special command on WLC – (WLC)>config network web-auth https-redirect enable

Supported from CUWN firmware version 8.0

You can enable via GUI by going to MANAGEMENT -> HTTP-HTTPS > HTTPS Redirection ‘Enabled’. I think there was a WLC version where the GUI didn’t configure it properly, but seems to have been fixed now.

Configure HTTPS Redirect over Web-auth - Cisco


HTTPS redirect is not a good idea

a) it is evil (you are attempting to hijack a secure connection)
b) it won't work (clients will block your evil hijack attempt)
c) it doesn't scale (generating a forged SSL hijack session for each port 443 connection from each client is a lot of processing requirement) CSCuu78888    Web GUI unresponsive after HTTPS-redirect enabled

d) certificate warnings

Here are couple decent write-ups on topic, as you can see its not just a Cisco issue:

http://community.arubanetworks.com/t5/Technology-Blog/Captive-Portal-why-do-I-get-those-certificate-warnings/ba-p/268921

https://medium.com/@padam.singh/https-based-redirection-and-wi-fi-captive-portals-92cc98a22981

For employees using captive portal inside the organization, the one solution is to have them set their home page to the organization’s internal landing page.

For general guest users, many are built with captive portal detection and will trigger their own browser to avoid commercial browser with an https home page.   Therefore, it is desirable to have portal bypass enabled to avoid such errors.  Also see suggestion to actually block https in redirect state to deny access until CNA or other http request can trigger redirect.

Cisco Employee

Re: ISE Guest CWA and HTTPS redirection

I don't see any issues using a well known cert on ISE with the Apple Mini Browsers and redirect. Its not recommended to use https redirect because of these issues. https://community.cisco.com/t5/identity-services-engine-ise/ise-guest-cwa-and-https-redirection/td-p/3583892
8 REPLIES 8
Cisco Employee

Re: ISE Guest CWA and HTTPS redirection

Since ISE 2.2 we support Apple captive portal detection for guest, we should promote that instead so users aren’t forced to open up the browser on their own which might have HTTPS based home page.


ISE 2.2 Apple CNA (Captive Network Assistant) Mini-Browser for BYOD/Guest


For enabling

Configuration:

There is a special command on WLC – (WLC)>config network web-auth https-redirect enable

Supported from CUWN firmware version 8.0

You can enable via GUI by going to MANAGEMENT -> HTTP-HTTPS > HTTPS Redirection ‘Enabled’. I think there was a WLC version where the GUI didn’t configure it properly, but seems to have been fixed now.

Configure HTTPS Redirect over Web-auth - Cisco


HTTPS redirect is not a good idea

a) it is evil (you are attempting to hijack a secure connection)
b) it won't work (clients will block your evil hijack attempt)
c) it doesn't scale (generating a forged SSL hijack session for each port 443 connection from each client is a lot of processing requirement) CSCuu78888    Web GUI unresponsive after HTTPS-redirect enabled

d) certificate warnings

Here are couple decent write-ups on topic, as you can see its not just a Cisco issue:

http://community.arubanetworks.com/t5/Technology-Blog/Captive-Portal-why-do-I-get-those-certificate-warnings/ba-p/268921

https://medium.com/@padam.singh/https-based-redirection-and-wi-fi-captive-portals-92cc98a22981

For employees using captive portal inside the organization, the one solution is to have them set their home page to the organization’s internal landing page.

For general guest users, many are built with captive portal detection and will trigger their own browser to avoid commercial browser with an https home page.   Therefore, it is desirable to have portal bypass enabled to avoid such errors.  Also see suggestion to actually block https in redirect state to deny access until CNA or other http request can trigger redirect.

Enthusiast

Re: ISE Guest CWA and HTTPS redirection

hi

i have the same redirect problem on WLC 5700.

these command does not exist on 5700.

config network web-auth captive-bypass {enable | disable}

config network web-auth https-redirect enable



how can i do this cwa redirect apple device for 5700

Cisco Employee

Re: ISE Guest CWA and HTTPS redirection

I would suggest you query the wireless team for their command issues

Also we don’t recommend https redirection

Beginner

Re: ISE Guest CWA and HTTPS redirection

Hi!

There is no this command due to WLC 5760 has IOS XE Software, but not AirOS as on WLC 2504,5520, etc.

Try to enable https by command "ip http secure-server" in conf t.

Thank you!

Beginner

Re: ISE Guest CWA and HTTPS redirection

Hi,

 

We have a similar problem, but are not that worried about ssl-traffic handled by the wlc.

However since the wlc needs to establish a ssl-connection with the client to be able to redirect it to the ISE for login, we get a certificate error on clients not using the apple captive portal detection. 

 

Since the client is sending a GET to, ex Cisco.com and the WLC:s certificate is not issued to cisco.com, you will get a certificate warning when opening your browser on the guest wifi - ie. ISE-CWA. 

A workaround is disabling captive bypass, but what about non- apple clients? 

 

Cisco Employee

Re: ISE Guest CWA and HTTPS redirection

I don't see any issues using a well known cert on ISE with the Apple Mini Browsers and redirect. Its not recommended to use https redirect because of these issues. https://community.cisco.com/t5/identity-services-engine-ise/ise-guest-cwa-and-https-redirection/td-p/3583892
Beginner

Re: ISE Guest CWA and HTTPS redirection

We have a well known certificate(DigiCert) installed in our ISE-environment configured to be used as the web-auth certificate. 

The issue we face in the central web auth is that it is the WLC that sends it's certificate to the client before the client hits the ISE-portal. The WLC has a self signed certificate which of course is not trusted by the client. 

If you click "trust" on the wlc-certificate the client continues to the ISE-portal and gets the ISE-certificate.

 

So my question is, do you need a well known certificate on both the WLC and the ISE for cwa? 

Contributor

Re: ISE Guest CWA and HTTPS redirection

No , you need only on ISE Side