Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2115
Views
10
Helpful
3
Replies

DNAC SDA Provisioned Guest Portal on ISE - 9800 SSL interception issue

Go to solution
Arne Bier
VIP
VIP

‎01-20-2021 02:57 AM

Hello

 

I have a question that straddles many domains: ISE, SD Access, and 9800 wireless. But perhaps someone on this Community can give me some pointers.

We are using DNAC 1.3.3.8, one ISE 2.7 p2 node and 9800-CL 17.3.1 - it's an SD Access PoC deployment and one of the use cases is a Central Web Auth (on ISE) which is SAML enabled (to Office 365). The SAML integration is probably neither here, not there, but it's not a standard Sponsored Guest portal - the URL redirection Authorization Profile still contains the FQDN of the single ISE node. We Provisioned a standard Self-Registered Guest Portal via DNAC and DNAC pushed a lot of config to the 9800, and ISE. But when we tested this, the client PC (Windows) pops up a browser and shows a certificate warning - the FQDN of ISE resolves to the IP address of ISE, but the cert warning in the PC is because the 9800's certificate was presented to the client.

I have never seen, nor implemented SSL redirection on Cisco WLCs (but I recently did this on another vendor, and in that case it mandated that we installed the web portal certificate on the WLC of that vendor - then all was well - it was due to the fact that the TCP/443 was being terminated on the WLC, and the cert was used to avoid the client getting a cert warning)

 

Is this perhaps a new behaviour in IOS-XE 17.3 ? Or is it a side effect of an error in the routing/fabric/fusion that caused the TCP connection to terminate on the WLC?

 

DNAC pushed a redirect ACL to the 9800 that included all the usual 'deny' statements to allow DNS, ISE etc. and then the two final 'permit' statements to cause the redirection - it pushed tcp/80 and tcp/443 - I tried disabling tcp/443 to cause it not to attempt SSL redirection but then nothing worked.

 

Has anyone got this working in SDA using an ISE Guest Portal?

 

any hints appreciated

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
martin.fischer
Level 1
Level 1

‎01-20-2021 07:08 AM

Hi @Arne Bier 

I believe that for HTTP redirection you also need to enable 'ip http server' on the 9800. Is this activated?

After that your solution with denying tcp/443 should work.

View solution in original post

3 Replies 3

Go to solution
martin.fischer
Level 1
Level 1

‎01-20-2021 07:08 AM

Hi @Arne Bier 

I believe that for HTTP redirection you also need to enable 'ip http server' on the 9800. Is this activated?

After that your solution with denying tcp/443 should work.

Go to solution
Arne Bier
VIP
VIP
In response to martin.fischer

‎01-21-2021 04:36 AM

Thank you ! That was it. Seems that the setting was disabled at some point in an attempt to make the GUI management plane “more secure” since we’re told that http is insecure. But in this case it unfortunately also breaks the redirection. 

I would still be interested to know how best to install the ISE portal cert and the CA chain for future reference. It’s not obvious to me how the portal cert relates to the existing Trust Points or whether it needs a new TP. Clear and simple documentation would be nice. 

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to Arne Bier

‎01-22-2021 05:55 AM

Switches support the command "ip http active-session-modules none".  Which leaves the needed http server on for redirection, but does not respond to http management attempts.  Unknown if this command is also present on 9800.

Customers Also Viewed These Support Documents