Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1538
Views
15
Helpful
0
Replies

Catalyst switch web redirect (cwa)

Bram Van den Bosch
Level 1
Level 1

‎03-07-2022 05:59 AM

i all,

 

I'm wondering if there are already neat solutions, or design/implementation guides that take into account web redirect in a modern segmented network?

As the ISE guest deployment guide indicates, a SVI is required to handle the HTTP redirect from the NAD (switch) to the client

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475#toc-hId--719488792

 

This poses some challenges in segmented networks:

  1. In most environments there is only a management SVI
  2. When this management environment is well protected (firewall as default gateway, or VRF segmented with fusion firewall upstream) this is often an issue. The access switch will send the HTTP redirect from its management SVI, but as source IP it will spoof the address of the original HTTP request.
    The upstream firewall can be configured to allow this traffic but often requires unwanted configuration such as:
    1. allow traffic sourced form all non-RFC1918 addresses (as the switch spoofs the IP from the original HTTP request from the client)
    2. disable anti-spoofing / RPF checks (depending on platform/vendor), as traffic arrives from a public IP where this is probably not expected
    3. disable checks on TCP flags, as traffic arrives on a firewall where no TCP-SYN is seen (as this packet is eaten by the access switch)

An alternative way to handle this is to create an SVI in each VLAN or VRF where web-redirect/CWA would be required. But also challenges here (besides the management overhead):

  1. It creates a back door between VLANs, this is really an issue if VLANs are used for segmentation, especially in the case of wired guest
  2. Probably a deny ACL , inbound on the extra SVI's can help. Is this commonly used?
  3. Placing each SVI in it's own VRF could also be a solution, but in the C9300 17.7 release notes, it is an unsupported feature: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-7/release_notes/ol-17-7-9300.html#concept_xk1_21f_3mb
    1. the 'webauth-vrf-aware' command seems to be missing from the C9300 webauth parameter map, so unless it is implied by default, it seems that working with VRF here is not a solution
    2. On 3850 version 3.7 it seemed possible, but looks like it is removed from 16.x

Are there more neat alternatives here? Or other ways you are dealing with this issue?
(mainly looking for latest generation C9K's; but even better if it would work on previous generation 2960X or 3650/3850 as well)

For example, I noticed you cloud configure a virtual IP under the webauth parameter map, would this avoid the requirement to have a L3 interface per VLAN/VRF?

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents