Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2819
Views
5
Helpful
7
Replies

Client Certificate Error on Portal Redirect

Go to solution
InfraISE2020
Level 1
Level 1

‎09-21-2020 12:03 PM

We've created a policy on ISE so that users connecting to the LAN on non-corporate devices are redirected to a portal where they can enter their active directory credentials and connect to the network on the VLANX. The CWA redirect policy works however the clients get a certificate error as the switch they are connected to is presenting them with a self-signed certificate rather than the certificate assigned to the "default portal certificate group". Our network support team have confirmed that http active session modules have been disabled on the switch using the commands below: ip http secure-active-session-modules none ip http active-session-modules none. 

 

Has anyone come across this issue before and what did they do to resolve it? I've attached a copy of the initial DACL for reference. 

Preview file
7 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-21-2020 01:32 PM - edited ‎09-21-2020 01:44 PM

Hi @InfraISE2020 

HTTPS redirection is not recommended for production environments because of the following reasons:

  •  Security concern-HTTPS redirection is intended to hijack a secure web connection initiated by an endpoint, which is not a good idea.
  • Failure to work-Most web browsers block intercepted HTTPS connections.
  • Certificate warnings-Even if web browsers allow access, there can be certificate warnings because the switch presents its own certificate for TLS handshake.
  • Scalability issues-Multiple HTTPS redirections can overload the switch CPU there by degrading the Switch performance

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

If you don't use HTTPS redirect then you won't receive the certificate presented by the switch nor the error.

 

HTH

View solution in original post

7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎09-21-2020 01:32 PM - edited ‎09-21-2020 01:44 PM

Hi @InfraISE2020 

HTTPS redirection is not recommended for production environments because of the following reasons:

  •  Security concern-HTTPS redirection is intended to hijack a secure web connection initiated by an endpoint, which is not a good idea.
  • Failure to work-Most web browsers block intercepted HTTPS connections.
  • Certificate warnings-Even if web browsers allow access, there can be certificate warnings because the switch presents its own certificate for TLS handshake.
  • Scalability issues-Multiple HTTPS redirections can overload the switch CPU there by degrading the Switch performance

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

If you don't use HTTPS redirect then you won't receive the certificate presented by the switch nor the error.

 

HTH

Go to solution
InfraISE2020
Level 1
Level 1
In response to Rob Ingram

‎09-22-2020 02:30 AM

Hi Rob,

 

Thanks for the quick reply.

 

I'm a little confused as the only ports available on the portal configuration are for HTTPS (8000 - 8999). 

 

Are you saying that we can run no ip http secure-server on our switches and the URL redirect will still work?

 

Thanks

 

 

Preview file
69 KB
0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎09-22-2020 02:42 AM

Hi @InfraISE2020 

The switch itself does not need to be listening on the port you are using in the ISE portals. You just need to enable http server, which will redirect tcp/80 traffic to the ISE portal. Yes, you can use that command to disable https, as long as "ip http server" is enabled.

 

HTH

0 Helpful

Go to solution
InfraISE2020
Level 1
Level 1
In response to Rob Ingram

‎09-22-2020 07:31 AM

Hi Rob,

 

As per my previous post, we are experiencing the same issue as the link below albeit on the LAN rather than WLC. 

 

https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/td-p/3426840

 

Any ideas/suggestions on how to resolve this so the user experience is smooth? 

 

Thanks

0 Helpful

Go to solution
InfraISE2020
Level 1
Level 1

‎09-22-2020 04:49 AM

thanks Rob, the switch certificate error has now disappeared.

 

The issue we now face is that users are only redirected to the portal if they browse to a http website, having an https website as their homepage and opening the browser doesn't automatically redirect them to the portal, any ideas? 

 

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to InfraISE2020

‎09-22-2020 09:28 PM

Please re-read Rob's original answer about Concerns, Warnings and Failures. Browsers won't do it.

0 Helpful

Go to solution
InfraISE2020
Level 1
Level 1
In response to thomas

‎09-22-2020 11:06 PM

Hi Thomas,

 

I’m not sure robs reply answers my question re the browser redirection.

 

If we disable HTTPS redirection on the switch, how do we get users to the portal page as ISE will only allow us to set the portal port to HTTPS? Currently the only way for users to reach it is to browse to a HTTP webpage manually, this is not a good user experience. 

 

Looking at other posts it seems that the redirection works with a WLC so surely this is achievable on the LAN? 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents