Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3915
Views
4
Helpful
4
Replies

ISE CWA URL Redirection for https

Go to solution
tolarosa@cisco.com
Cisco Employee
Cisco Employee

‎03-13-2018 11:55 AM

Hi All,

I'm running into some issues with CWA URL Redirection to work with https sessions.  We try to browse to a https websites (google, etc) and CWA URL Redirection doesn't work.  Works great with http websites. Is there a workaround or a solution for this type of situation? 

Thanks,

-Tony

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to tolarosa@cisco.com

‎03-14-2018 06:15 AM

Likely issue is that the client browser is not trusting the cert from switch.  In the process of redirection, then switch must respond directly to the HTTPS request and attempt redirect.  Since the certificate does not match expected for target site, such as Google.com, the browser will likely produce an error.  Depending on browser version and config, it may simply allow you to continue, but as browsers lock down untrusted content, it may not allow user to proceed at all.  Some mobile clients handle captive portals by sending out discovery packets on http to auto-open a mini-browser for auth.  On wired, you will likely not see this yet.  Although not ideal, one option is to have users set their home page to company's internal landing page, or to have guests/contractors open page to the internal company page.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
#Mat
Level 6
Level 6

‎03-13-2018 02:33 PM

Hi Tony. You have to enable it: "config network web-auth https-redirect enable"


In these links, you will find the full information.

Understanding HTTPS Redirect over Web-a... - Cisco Support Community

Configure HTTPS Redirect over Web-auth - Cisco

I hope you find it useful.


Regards.-

.
0 Helpful

Go to solution
tolarosa@cisco.com
Cisco Employee
Cisco Employee
In response to #Mat

‎03-14-2018 05:31 AM

Thanks Matias, however I should have mentioned this is CWA on a switch wired network, not WLC.  I have the following ip http and ACL configured:

ip http server

ip http secure-server

ip http secure-active-session-modules none

ip http active-session-modules none

ip access-list extended ACL_WEBAUTH_REDIRECT

permit tcp any any eq www

permit tcp any any eq 443

deny ip any any

-Tony

Go to solution
Craig Hyps
Level 10
Level 10
In response to tolarosa@cisco.com

‎03-14-2018 06:15 AM

Likely issue is that the client browser is not trusting the cert from switch.  In the process of redirection, then switch must respond directly to the HTTPS request and attempt redirect.  Since the certificate does not match expected for target site, such as Google.com, the browser will likely produce an error.  Depending on browser version and config, it may simply allow you to continue, but as browsers lock down untrusted content, it may not allow user to proceed at all.  Some mobile clients handle captive portals by sending out discovery packets on http to auto-open a mini-browser for auth.  On wired, you will likely not see this yet.  Although not ideal, one option is to have users set their home page to company's internal landing page, or to have guests/contractors open page to the internal company page.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to tolarosa@cisco.com

‎03-15-2018 06:43 AM

If you are testing with Chrome going to Google your ACL probably wouldn't work as Chrome will default to using QUIC protocol (UDP/443) and your ACL doesn't intercept that and the switch would have no chance of redirecting a proprietary protocol.  Do you have a DACL applied as well to block traffic?

I am assuming you have tried other SSL web sites in browsers other than Chrome and they don't redirect either.

0 Helpful
Customers Also Viewed These Support Documents