Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2437
Views
5
Helpful
4
Replies

ISE WLC CWA packet flow

Go to solution
firestartest
Level 1
Level 1

‎10-05-2018 02:28 PM

I can't find any documentation that describes how the CWA works for a client with regards to how the intercept works and how http responses are sent back to the client. From what I understand the client does DNS lookup for a web site, DNS responds with IP address, client does HTTP Get for said IP, something intercepts/spoofs/replies?

 

I can find some information on WLC using local web auth that kind of explains a similar process but not sure if it's the same for ISE.

 

"You must type a valid URL in your browser. The client resolves the URL through the DNS protocol. The client then sends its HTTP request to the IP address of the website. The WLC intercepts that request and returns the webauth login page, which spoofs the website IP address. In the case of an external WebAuth, the WLC replies with an HTTP response that includes your website IP address and states that the page has moved. The page was moved to the external web server used by the WLC."

 

But I would like to know how the intercept works in detail like the packet flow. I'm sure there used to be a diagram online.

 

Is anyone able to breakdown the process for me when using ISE CWA?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Serhii Kucherenko
Cisco Employee
Cisco Employee

‎10-07-2018 03:46 AM

In case you would like to see it on diagram it's explained in this document -https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html#anc5

 

Section - Posture Flow Pre ISE 2.2

 

I've created it for posture but in general there is no difference in redirect logic. The only thing which is different is a portal ID returned in redirect URL. 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
paul
Level 10
Level 10

‎10-05-2018 08:07 PM

It is standard URL redirection just like you described.  Client browser or the OS portal detect scheme makes a web call.  The network device (switch, WLC or ASA) issues a redirect to the URL specified by your ISE authorization profile.  Client goes through the portal process.

0 Helpful

Go to solution
firestartest
Level 1
Level 1
In response to paul

‎10-06-2018 11:49 AM

Hi, how does the device intercept the traffic? Does it reply pretending to be the IP address of the HTTP Get destination?

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to firestartest

‎10-06-2018 04:10 PM

Yep it intercepts the SYN and responds with SYN ACK completes handshake receives the Get request and issues redirect

Go to solution
Serhii Kucherenko
Cisco Employee
Cisco Employee

‎10-07-2018 03:46 AM

In case you would like to see it on diagram it's explained in this document -https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html#anc5

 

Section - Posture Flow Pre ISE 2.2

 

I've created it for posture but in general there is no difference in redirect logic. The only thing which is different is a portal ID returned in redirect URL. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents