cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2472
Views
0
Helpful
3
Replies
Highlighted
Beginner

IOS CWA Redirect - ISE - Safari

I do not believe I can be the only one with this issue, not when I have it at two sites and with the original installs being done by different people.

Is anyone else having issues with Safari properly being redirected to ISE CWA by IOS redirection?

I have this issue on 3750X for wired clients, and on a 3850 NGWC for wireless clients.  What makes this unique is that the only thing similar to this deployment is the Macbooks running with Safari.

My troubleshooting seems to point at an issue with Safari not liking the redirect based upon the switch(3850,3750X) certificate.  Firefox and Chrome both work without issues on the test Macbooks.  I'm unable to find anything in the Bugtoolkit about it.

If using Safari on Cisco switch for CWA is unsupported, please provide a link to Cisco document detailing it.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Participant

Safari is not supported browser for ISE admin web portal (see http://www.cisco.com/en/US/docs/security/ise/1.2/compatibility/ise_sdt.html#wp113932). Please use Firefox ESR http://www.mozilla.org/en-US/firefox/organizations/all.html

This is a known issue being addressed in ISE 1.3:

CSCty87291    admin web requests id cert when passwd auth only but CA trusted

View solution in original post

3 REPLIES 3
Highlighted
Participant

Safari is not supported browser for ISE admin web portal (see http://www.cisco.com/en/US/docs/security/ise/1.2/compatibility/ise_sdt.html#wp113932). Please use Firefox ESR http://www.mozilla.org/en-US/firefox/organizations/all.html

This is a known issue being addressed in ISE 1.3:

CSCty87291    admin web requests id cert when passwd auth only but CA trusted

View solution in original post

Highlighted

Basant,

Thanks for replying, but this isn't a question of managing ISE.

The problem is when Safari is redirected to the Guest Portal - Which according table 8 of what you linked, says it is supported.

The redirect issue does not occur when using a 5508 with traditional WLC code.  It is only the IOS Webauth Redirect that is breaking the redirect process and causing Safari to hang.

Highlighted
Beginner

This issue has been resolved.  It turned out that the Macbook was trying to do a crl download to confirm that the certificate was valid.  I am pretty sure it was becuase the cheapest GoDaddy certificate was used and the intermediate certificate isn't always found in the default Mac certificate store.  Firefox works because they handle CRL checks differently.

I had two different resolutions as I had the problem at two different customers/sites.

 

First test was allowing access to crl.godaddy.com.  After I excluded this IP address from the redirect and permitted it in the dACL - Safari was able to correctly redirect to the CWA portal page.

 

At another site, due to the centralized management of the Macbooks, we utilized Mac OS X Server to create a profile in Profile Manager that included the GoDaddy Intermediate certificate and pushed that out to all macbooks to resolve the issue.

 

In addition - and worthy of note.  If you are doing posturing and the ISE certificate is not trusted on Apple, the same sort of CRL check will occur and the NAC Agent will never posture the endpoint.

 

tl;dr - Doublecheck Certificate trust settings on Apple because they are evil.

 

Content for Community-Ad