cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

362
Views
5
Helpful
4
Replies
Highlighted
Beginner

ISE WLC CWA packet flow

I can't find any documentation that describes how the CWA works for a client with regards to how the intercept works and how http responses are sent back to the client. From what I understand the client does DNS lookup for a web site, DNS responds with IP address, client does HTTP Get for said IP, something intercepts/spoofs/replies?

 

I can find some information on WLC using local web auth that kind of explains a similar process but not sure if it's the same for ISE.

 

"You must type a valid URL in your browser. The client resolves the URL through the DNS protocol. The client then sends its HTTP request to the IP address of the website. The WLC intercepts that request and returns the webauth login page, which spoofs the website IP address. In the case of an external WebAuth, the WLC replies with an HTTP response that includes your website IP address and states that the page has moved. The page was moved to the external web server used by the WLC."

 

But I would like to know how the intercept works in detail like the packet flow. I'm sure there used to be a diagram online.

 

Is anyone able to breakdown the process for me when using ISE CWA?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE WLC CWA packet flow

In case you would like to see it on diagram it's explained in this document -https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html#anc5

 

Section - Posture Flow Pre ISE 2.2

 

I've created it for posture but in general there is no difference in redirect logic. The only thing which is different is a portal ID returned in redirect URL. 

4 REPLIES 4
VIP Engager

Re: ISE WLC CWA packet flow

It is standard URL redirection just like you described.  Client browser or the OS portal detect scheme makes a web call.  The network device (switch, WLC or ASA) issues a redirect to the URL specified by your ISE authorization profile.  Client goes through the portal process.

Beginner

Re: ISE WLC CWA packet flow

Hi, how does the device intercept the traffic? Does it reply pretending to be the IP address of the HTTP Get destination?

VIP Engager

Re: ISE WLC CWA packet flow

Yep it intercepts the SYN and responds with SYN ACK completes handshake receives the Get request and issues redirect
Cisco Employee

Re: ISE WLC CWA packet flow

In case you would like to see it on diagram it's explained in this document -https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html#anc5

 

Section - Posture Flow Pre ISE 2.2

 

I've created it for posture but in general there is no difference in redirect logic. The only thing which is different is a portal ID returned in redirect URL.