09-21-2020 12:03 PM
We've created a policy on ISE so that users connecting to the LAN on non-corporate devices are redirected to a portal where they can enter their active directory credentials and connect to the network on the VLANX. The CWA redirect policy works however the clients get a certificate error as the switch they are connected to is presenting them with a self-signed certificate rather than the certificate assigned to the "default portal certificate group". Our network support team have confirmed that http active session modules have been disabled on the switch using the commands below: ip http secure-active-session-modules none ip http active-session-modules none.
Has anyone come across this issue before and what did they do to resolve it? I've attached a copy of the initial DACL for reference.
Solved! Go to Solution.
09-21-2020 01:32 PM - edited 09-21-2020 01:44 PM
HTTPS redirection is not recommended for production environments because of the following reasons:
If you don't use HTTPS redirect then you won't receive the certificate presented by the switch nor the error.
HTH
09-21-2020 01:32 PM - edited 09-21-2020 01:44 PM
HTTPS redirection is not recommended for production environments because of the following reasons:
If you don't use HTTPS redirect then you won't receive the certificate presented by the switch nor the error.
HTH
09-22-2020 02:30 AM
09-22-2020 02:42 AM
The switch itself does not need to be listening on the port you are using in the ISE portals. You just need to enable http server, which will redirect tcp/80 traffic to the ISE portal. Yes, you can use that command to disable https, as long as "ip http server" is enabled.
HTH
09-22-2020 07:31 AM
Hi Rob,
As per my previous post, we are experiencing the same issue as the link below albeit on the LAN rather than WLC.
https://community.cisco.com/t5/network-access-control/ise-cwa-url-redirection-for-https/td-p/3426840
Any ideas/suggestions on how to resolve this so the user experience is smooth?
Thanks
09-22-2020 04:49 AM
thanks Rob, the switch certificate error has now disappeared.
The issue we now face is that users are only redirected to the portal if they browse to a http website, having an https website as their homepage and opening the browser doesn't automatically redirect them to the portal, any ideas?
09-22-2020 09:28 PM
Please re-read Rob's original answer about Concerns, Warnings and Failures. Browsers won't do it.
09-22-2020 11:06 PM
Hi Thomas,
I’m not sure robs reply answers my question re the browser redirection.
If we disable HTTPS redirection on the switch, how do we get users to the portal page as ISE will only allow us to set the portal port to HTTPS? Currently the only way for users to reach it is to browse to a HTTP webpage manually, this is not a good user experience.
Looking at other posts it seems that the redirection works with a WLC so surely this is achievable on the LAN?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide