03-06-2015 10:33 AM - edited 03-10-2019 10:31 PM
I suppose Cisco ISE sends a URL redirect to the switch and the switch presents it to the client in case of guest Access getting a URL redirect with User Acceptance Page (Wired Guests and not wireless).
My question here is, Do we need to configure http and https server on the switches (both supplicant and authenticator)?
I am sure it will need but just wanted a confirmation..
I have checked the configuration for supplicant and Authenticator switches for ISE and it has no where mentioned that part of the config.
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html (a problem of URL redirection and possible cause is mentioned) ------- makes me sure that the config is needed.
(config of supplicant and authenticator switch)---- nowhere mentioned of the http/https config for both switches.
Solved! Go to Solution.
03-06-2015 11:28 AM
Yes, its needed. The http/s server within the swtich is used to grab the http user traffic and redirect the traffic to the CWA portal, or a device registration portal, or even to the Mobile Device Management (MDM) onboarding portal. .
ip http server
ip http secure-server
The info below I grabbed from Cisco ISE for BYOD and secure unified access book.
"Many organization want to ensure that this redirection process using the switch's internal HTTP server is decoupled from the management of the switch itself, in order to limit the chances of an end user interacting with the management intervace and control plane of a switch. this may be accomplished by running the following two commands from global configuration mode:
ip http active-session-modules none
ip http secure-active-session-modules none"
03-06-2015 11:28 AM
Yes, its needed. The http/s server within the swtich is used to grab the http user traffic and redirect the traffic to the CWA portal, or a device registration portal, or even to the Mobile Device Management (MDM) onboarding portal. .
ip http server
ip http secure-server
The info below I grabbed from Cisco ISE for BYOD and secure unified access book.
"Many organization want to ensure that this redirection process using the switch's internal HTTP server is decoupled from the management of the switch itself, in order to limit the chances of an end user interacting with the management intervace and control plane of a switch. this may be accomplished by running the following two commands from global configuration mode:
ip http active-session-modules none
ip http secure-active-session-modules none"
03-06-2015 02:25 PM
Thanks Cehill..
03-06-2015 02:49 PM
Your welcome.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide