10-03-2018 11:29 PM
If Windows clients use a statically configured proxy server in their browser for HTTP/HTTPS traffic is there anyway of still getting CWA to work without turning the client proxy off?
Solved! Go to Solution.
10-04-2018 07:01 AM - edited 10-08-2018 03:12 PM
Best option is to exempt ISE PSN IP and hostnames from going through proxy and also add in following hosts to the proxy exemption list:
Background: These are destinations for respective OS vendor to check on whether the network access has captive portal for hotspot or webauth enabled (AKA captive portal detection or captive portal assistant). By exempting these hosts from proxy, the traffic to these hosts can hit the redirect ACL and gets redirected to ISE portal page which lets the OS know that there is a captive portal to deal with prior to getting full Internet access. This allows the mini browser or task bar balloon to pop-up for the user to take action, which is better than forcing them to enter a URL manually in the browser. FYI, here are the actual URL for each vendor (May have been changed, since I collected them few years ago:
10-03-2018 11:59 PM
You can try bypassing the PSN FQDN/IP address in proxy.
10-04-2018 01:55 AM
Yeah I was thinking that and maybe getting clients to manually type in a URL of a site that is also bypassed to force the portal up.
10-04-2018 04:22 AM
Bypassing the PSN IPs in the proxy setting won't help with the actual redirect, but would help when they get the redirect. To actually get the redirect you would have to do as you suggested bypass a specific site and have the users go to that site. It could be any site that resolves. You could even use the fake site, enroll.cisco.com, which the posture module uses for discovery.
10-04-2018 07:01 AM - edited 10-08-2018 03:12 PM
Best option is to exempt ISE PSN IP and hostnames from going through proxy and also add in following hosts to the proxy exemption list:
Background: These are destinations for respective OS vendor to check on whether the network access has captive portal for hotspot or webauth enabled (AKA captive portal detection or captive portal assistant). By exempting these hosts from proxy, the traffic to these hosts can hit the redirect ACL and gets redirected to ISE portal page which lets the OS know that there is a captive portal to deal with prior to getting full Internet access. This allows the mini browser or task bar balloon to pop-up for the user to take action, which is better than forcing them to enter a URL manually in the browser. FYI, here are the actual URL for each vendor (May have been changed, since I collected them few years ago:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide