cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

508
Views
5
Helpful
7
Replies
Highlighted
Beginner

Client Certificate Error on Portal Redirect

We've created a policy on ISE so that users connecting to the LAN on non-corporate devices are redirected to a portal where they can enter their active directory credentials and connect to the network on the VLANX. The CWA redirect policy works however the clients get a certificate error as the switch they are connected to is presenting them with a self-signed certificate rather than the certificate assigned to the "default portal certificate group". Our network support team have confirmed that http active session modules have been disabled on the switch using the commands below: ip http secure-active-session-modules none ip http active-session-modules none. 

 

Has anyone come across this issue before and what did they do to resolve it? I've attached a copy of the initial DACL for reference. 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

Hi @InfraISE2020 

HTTPS redirection is not recommended for production environments because of the following reasons:

  •  Security concern-HTTPS redirection is intended to hijack a secure web connection initiated by an endpoint, which is not a good idea.
  • Failure to work-Most web browsers block intercepted HTTPS connections.
  • Certificate warnings-Even if web browsers allow access, there can be certificate warnings because the switch presents its own certificate for TLS handshake.
  • Scalability issues-Multiple HTTPS redirections can overload the switch CPU there by degrading the Switch performance

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

If you don't use HTTPS redirect then you won't receive the certificate presented by the switch nor the error.

 

HTH

View solution in original post

7 REPLIES 7
Highlighted
VIP Mentor

Hi @InfraISE2020 

HTTPS redirection is not recommended for production environments because of the following reasons:

  •  Security concern-HTTPS redirection is intended to hijack a secure web connection initiated by an endpoint, which is not a good idea.
  • Failure to work-Most web browsers block intercepted HTTPS connections.
  • Certificate warnings-Even if web browsers allow access, there can be certificate warnings because the switch presents its own certificate for TLS handshake.
  • Scalability issues-Multiple HTTPS redirections can overload the switch CPU there by degrading the Switch performance

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

If you don't use HTTPS redirect then you won't receive the certificate presented by the switch nor the error.

 

HTH

View solution in original post

Highlighted

Hi Rob,

 

Thanks for the quick reply.

 

I'm a little confused as the only ports available on the portal configuration are for HTTPS (8000 - 8999). 

 

Are you saying that we can run no ip http secure-server on our switches and the URL redirect will still work?

 

Thanks

 

 

Highlighted
VIP Mentor

Hi @InfraISE2020 

The switch itself does not need to be listening on the port you are using in the ISE portals. You just need to enable http server, which will redirect tcp/80 traffic to the ISE portal. Yes, you can use that command to disable https, as long as "ip http server" is enabled.

 

HTH

Highlighted

Hi Rob,

 

As per my previous post, we are experiencing the same issue as the link below albeit on the LAN rather than WLC. 

 

https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/td-p/3426840

 

Any ideas/suggestions on how to resolve this so the user experience is smooth? 

 

Thanks

Highlighted
Beginner

thanks Rob, the switch certificate error has now disappeared.

 

The issue we now face is that users are only redirected to the portal if they browse to a http website, having an https website as their homepage and opening the browser doesn't automatically redirect them to the portal, any ideas? 

 

Highlighted

Please re-read Rob's original answer about Concerns, Warnings and Failures. Browsers won't do it.

Highlighted

Hi Thomas,

 

I’m not sure robs reply answers my question re the browser redirection.

 

If we disable HTTPS redirection on the switch, how do we get users to the portal page as ISE will only allow us to set the portal port to HTTPS? Currently the only way for users to reach it is to browse to a HTTP webpage manually, this is not a good user experience. 

 

Looking at other posts it seems that the redirection works with a WLC so surely this is achievable on the LAN?