Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2161
Views
5
Helpful
8
Replies

ISE Compliant Users - Can't access internal resources using HTTPs

Go to solution
Mostafa hasanin
Level 1
Level 1

‎01-10-2022 02:47 AM

Dears,

 

We have a new deployment of ISE, when users put in compliant state, the internet working normally, but when trying to accessing internal resources using HTTPs, the browser rather than displays certification warning and let users to continue, it displays the below page

"the network you 're using may require you to go to sign-in page"

when I press to connect button, it redirects may to page Like gstatic.com (in Chrome) and edge.microsoft (in Edge).

the issue happens with Edge and Chrome browsers only, internet explorer working fine.

Any HTTPs application that trusted to chrome or Edge, its working fine, but the issue is when the certificate is untrusted for the browser, it not displays the certification warning.

in addition to its happens with Compliant Users and Guest Portal.

We are using ISE 3.0 and Anyconnect supplicant 4.10

how can We resolve that issue ?

 

ISE Issue with Complaint Users.pngISE Issue with Guests.jpeg

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎01-10-2022 02:04 PM

Hi

 

Is this for a Cisco switch?

Its sounds like there is still some URL redirection happening, because the switch is being instructed to do so.

 

It would be helpful to know what the config looks like on that port (see commands below) and also what the Authorization Profile looks like that ISE sends in the case of a "compliant" user session.

show derived-config interface gig x/y/z
show access-session interface gig x/y/z detail

 

On switch ports there are three types of ACL that are at play (from what I have discovered)

- inherent ACL (at least a basic ACL to allow DHCP - ACL is configured on the interface)

- dACL (downloaded from ISE) used to allow/block user traffic

- redirection ACL (used to determine what will trigger a http interception/redirection)

 

I am not sure about the precedence of which ACL is processed in what order - but be aware that there is more than one ACL at play!

Good starting point for wired NAC is this guide.

 

View solution in original post

8 Replies 8

Go to solution
Arne Bier
VIP
VIP

‎01-10-2022 02:04 PM

Hi

 

Is this for a Cisco switch?

Its sounds like there is still some URL redirection happening, because the switch is being instructed to do so.

 

It would be helpful to know what the config looks like on that port (see commands below) and also what the Authorization Profile looks like that ISE sends in the case of a "compliant" user session.

show derived-config interface gig x/y/z
show access-session interface gig x/y/z detail

 

On switch ports there are three types of ACL that are at play (from what I have discovered)

- inherent ACL (at least a basic ACL to allow DHCP - ACL is configured on the interface)

- dACL (downloaded from ISE) used to allow/block user traffic

- redirection ACL (used to determine what will trigger a http interception/redirection)

 

I am not sure about the precedence of which ACL is processed in what order - but be aware that there is more than one ACL at play!

Good starting point for wired NAC is this guide.

 

Go to solution
Mostafa hasanin
Level 1
Level 1
In response to Arne Bier

‎06-28-2022 08:00 AM

Hi Arne,

 

DACL for compliant users is "permit ip any any"

 

the below is port configuration

 

interface g1/0/1

 ip access-group ACL_Default in
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication timer reauthenticate server
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable

 

We removed 443 redirection from redirection ACL, but the issue is the same

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Mostafa hasanin

‎06-28-2022 01:57 PM

Hi @Mostafa hasanin 

 

Does your switch have the global config command to enable URL redirection?

ip http server

This must be there to allow the switch to intercept the HTTP traffic (URL redirection).

 

If you're concerned about securing the switch's web interface then you need to add the commands - below will disable TCP/80 and TCP/443 web access to the switch's web services

ip http active-session-modules none
ip http secure-active-session-modules none

 

 

0 Helpful

Go to solution
Mostafa hasanin
Level 1
Level 1
In response to Arne Bier

‎06-28-2022 02:36 PM

Hi Arne,

yes, the switch is configured with ip http server 

 

I disabled HTTPs as I thought that it is caused the issue, but after disabling it the issue still exist.

 

could you please help to solve this issue as a lot of users are suffering

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Mostafa hasanin

‎06-28-2022 02:58 PM

Need more details. When you have such a situation, have you looked at the session details on the switch? e.g. when the user gets this page, you need to check (using gig 1/0/1 as an example)

show access-session int gig 1/0/1 detail

Then also, verify the state of all ACLs applied. There is an ACL on the gig 1/0/1, and also, ISE is sending back a dACL - this is a dynamic ACL whose name changes all the time - you can get the exact name of the dACL from the access-session details

show ip access-list int gi 1/0/1
show ip access-list xxxxxxxxx<dACL_Name>xxxxxxx

Then, other basic checks to be performed on the workstation that is suffering - go to command line and check whether users can resolve the portal using DNS - and if you have telnet installed, see what is returned when you try a TCP connection to 443 and 8443 (ISE should re-direct your 443 to 8443)

 

nslookup isepsn1.domain.edbe.local
telnet isepsn1.domain.edbe.local 443
telnet isepsn1.domain.edbe.local 8443

DNS must work. If it doesn't then investigate that first.

 

 

 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Mostafa hasanin

‎06-28-2022 05:47 PM

If users are suffering, then this is an urgent issue and you should contact TAC to investigate and help you resolve the issue.
This Community forum is not TAC and is not suited for this type of urgent support need or troubleshooting complex issues.

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-14-2022 11:20 AM

Can you describe your deployment and how you do redirection? Also, are you
using any proxy for SSL interception/

0 Helpful

Go to solution
Mostafa hasanin
Level 1
Level 1
In response to Mohammed al Baqari

‎06-28-2022 07:57 AM

We have 6 ISE nodes, 2 nodes are PAN and 4 nodes are PSNs.

we use the below redirection ACL, we removed 443 redirection, but the issue still occurs.

 

ip access-list extended ACL_REDIRECT
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny ip any host <ISE-IP>
permit tcp any any eq www
deny ip any any log
exit

 

We have Proxy, but HTTPs internal resources are bypassed from proxy.

0 Helpful
Customers Also Viewed These Support Documents