cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

851
Views
0
Helpful
4
Replies
Highlighted
Beginner

Cisco ISE and Cisco 2960X Switches

All,

 

I have installed Cisco ISE (4.2 with NAM and Posture mods), for some reason my clients (EAP-TLS) are authenticating and authorising fine but some of my clients during authentication are seeing a windows security alert indication that the cert isn't trusted. When I view the cert its the self signed on from the 2960x switch.

I believe an application is trying to contact a server over 443 but why would a switch respond to a client request with its own self signed cert?

Any help would be great, thanks!

4 REPLIES 4
Highlighted
Participant

Re: Cisco ISE and Cisco 2960X Switches

Hi,

 

Haven't you enabled/configured ip http and http secure-server commands on the switch?

These commands are needed for redirection. Each time you want to redirect some traffic, the switch would spoof the destination server and would respond on behalf of your destination (the flow must be allowed from the management VLAN to the workstation/data VLAN). :)

 

Usually, the redirected traffic would be http as in app access, but you might have some apps that are trying some https.

You can give it a go with a specific call home server (I think this was the name of the section) in the posture profile so that you get redirected for a specific destination (that is - http).

 

Thanks,

Octavian

Highlighted
Beginner

Re: Cisco ISE and Cisco 2960X Switches

Hi Octavian,

Yes http and http secure server are configured and working.

Also configured are the below commands for disabling web management.

 

IP HTTP active-session-modules none.

IP HTTP secure-active-session-modules none.

 

I think the issue is that while clients are redirecting (Posturing/system scan) during remediation an APP is also trying to redirect (HTTP) at the same time and the switch is responding with its cert. I think if I altering the redirect ACL to deny the source that should work (I.E. Bypass redirection).

Any thoughts?

Highlighted
Participant

Re: Cisco ISE and Cisco 2960X Switches

Hi,

 

You could try a SPAN config or directly a wireshark on the endpoint to check where it tries to connect.

(regarding the bypass, you have to deny/bypass based on destination not source)

 

Thanks,

Octavian

Highlighted
Beginner

Re: Cisco ISE and Cisco 2960X Switches

Ok,

Tried the deny in the redirect ACL (E.G. do not redirect traffic going to - in my case an F5 VIP) and it worked but the Skype client connects and logs in during posture and compliancy before "network access allowed" is seen.

Does anyone know how to restrict Skype from connecting until the client has passed posture and the client is fully compliant E.G. has received a dACL of permit any any ??

 

Just a thought could I deny Skype tcp connections in the remediation ACL?