This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have installed Cisco ISE (4.2 with NAM and Posture mods), for some reason my clients (EAP-TLS) are authenticating and authorising fine but some of my clients during authentication are seeing a windows security alert indication that the cert isn't trusted. When I view the cert its the self signed on from the 2960x switch.
I believe an application is trying to contact a server over 443 but why would a switch respond to a client request with its own self signed cert?
Any help would be great, thanks!
Haven't you enabled/configured ip http and http secure-server commands on the switch?
These commands are needed for redirection. Each time you want to redirect some traffic, the switch would spoof the destination server and would respond on behalf of your destination (the flow must be allowed from the management VLAN to the workstation/data VLAN). :)
Usually, the redirected traffic would be http as in app access, but you might have some apps that are trying some https.
You can give it a go with a specific call home server (I think this was the name of the section) in the posture profile so that you get redirected for a specific destination (that is - http).
Yes http and http secure server are configured and working.
Also configured are the below commands for disabling web management.
IP HTTP active-session-modules none.
IP HTTP secure-active-session-modules none.
I think the issue is that while clients are redirecting (Posturing/system scan) during remediation an APP is also trying to redirect (HTTP) at the same time and the switch is responding with its cert. I think if I altering the redirect ACL to deny the source that should work (I.E. Bypass redirection).
You could try a SPAN config or directly a wireshark on the endpoint to check where it tries to connect.
(regarding the bypass, you have to deny/bypass based on destination not source)
Tried the deny in the redirect ACL (E.G. do not redirect traffic going to - in my case an F5 VIP) and it worked but the Skype client connects and logs in during posture and compliancy before "network access allowed" is seen.
Does anyone know how to restrict Skype from connecting until the client has passed posture and the client is fully compliant E.G. has received a dACL of permit any any ??
Just a thought could I deny Skype tcp connections in the remediation ACL?