Solved: Re: Cisco ISE Posture Redirection - HTTP & HTTPS on NAD device

wavarevivek1 · ‎10-26-2023

Hi,

We are having ISE 2.7 patch 9 and it is used for for endpoint posturing. For unknown clients posture reduction we have enabled the http and https redirection on cisco NAD switches.

But now we have reported http and https vulnerability from our SOC team and to disable the same.

Please suggest if there is any alternative way for redirection without enabling http & https on NAD switches or else if there is any way to use http & https without any impacting.

Rob Ingram · ‎10-26-2023

@wavarevivek1 there are redirectionless posture options, you'd need to predeploy the call home server list to the clients:-

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

https://www.cisco.com/c/en/us/support/docs/security/policy-access-management/220394-implementing-ise-redirectionless-posture.html

View solution in original post

Charlie Moreton · ‎10-26-2023

On IOS-XE devices that don't require access to the web UI, it is recommended to use the following commands to prevent access to the web UI while still allowing the ISE redirect use cases:

ip http active-session-modules none
ip http secure-active-session-modules none

View solution in original post

thomas · ‎11-06-2023

The recommendation provided by @Charlie Moreton is documented in Cisco TAC Technical FAQs for Cisco IOS XE Software Web UI Privilege Escalation Vulnerability - CVE-2023-20198 > 3. I am using Identity Services Engine (ISE) redirect use cases and can't disable the http/https servers. What can I do?

View solution in original post

Rob Ingram · ‎10-26-2023

@wavarevivek1 there are redirectionless posture options, you'd need to predeploy the call home server list to the clients:-

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

https://www.cisco.com/c/en/us/support/docs/security/policy-access-management/220394-implementing-ise-redirectionless-posture.html

Charlie Moreton · ‎10-26-2023

On IOS-XE devices that don't require access to the web UI, it is recommended to use the following commands to prevent access to the web UI while still allowing the ISE redirect use cases:

ip http active-session-modules none
ip http secure-active-session-modules none

thomas · ‎11-06-2023

The recommendation provided by @Charlie Moreton is documented in Cisco TAC Technical FAQs for Cisco IOS XE Software Web UI Privilege Escalation Vulnerability - CVE-2023-20198 > 3. I am using Identity Services Engine (ISE) redirect use cases and can't disable the http/https servers. What can I do?

Cisco ISE Posture Redirection - HTTP &amp; HTTPS on NAD device.

Cisco ISE Posture Redirection - HTTP & HTTPS on NAD device.