Solved: ISE CWA with client proxy settings

firestartest · ‎10-03-2018

If Windows clients use a statically configured proxy server in their browser for HTTP/HTTPS traffic is there anyway of still getting CWA to work without turning the client proxy off?

howon · ‎10-04-2018

Best option is to exempt ISE PSN IP and hostnames from going through proxy and also add in following hosts to the proxy exemption list:

www.msftncsi.com (Microsoft)
www.msftconnecttest.com (Microsoft; Windows 10 Edge browser)
www.gstatic.com (Google)
captive.apple.com (Apple)
nmcheck.gnome.org (Linux)

Background: These are destinations for respective OS vendor to check on whether the network access has captive portal for hotspot or webauth enabled (AKA captive portal detection or captive portal assistant). By exempting these hosts from proxy, the traffic to these hosts can hit the redirect ACL and gets redirected to ISE portal page which lets the OS know that there is a captive portal to deal with prior to getting full Internet access. This allows the mini browser or task bar balloon to pop-up for the user to take action, which is better than forcing them to enter a URL manually in the browser. FYI, here are the actual URL for each vendor (May have been changed, since I collected them few years ago:

http://www.msftncsi.com/ncsi.txt (Microsoft)
http://www.msftconnecttest.com/redirect (Microsoft; Windows 10 Edge browser)
http://www.gstatic.com/generate_204 (Google)
http://captive.apple.com/hotspot-detect.html (Apple)
http://nmcheck.gnome.org/check_network_status.txt (Linux)

View solution in original post

Aravind Ravichandran · ‎10-03-2018

You can try bypassing the PSN FQDN/IP address in proxy.

-Aravind

firestartest · ‎10-04-2018

Yeah I was thinking that and maybe getting clients to manually type in a URL of a site that is also bypassed to force the portal up.

paul · ‎10-04-2018

Bypassing the PSN IPs in the proxy setting won't help with the actual redirect, but would help when they get the redirect. To actually get the redirect you would have to do as you suggested bypass a specific site and have the users go to that site. It could be any site that resolves. You could even use the fake site, enroll.cisco.com, which the posture module uses for discovery.

howon · ‎10-04-2018

Best option is to exempt ISE PSN IP and hostnames from going through proxy and also add in following hosts to the proxy exemption list:

www.msftncsi.com (Microsoft)
www.msftconnecttest.com (Microsoft; Windows 10 Edge browser)
www.gstatic.com (Google)
captive.apple.com (Apple)
nmcheck.gnome.org (Linux)

Background: These are destinations for respective OS vendor to check on whether the network access has captive portal for hotspot or webauth enabled (AKA captive portal detection or captive portal assistant). By exempting these hosts from proxy, the traffic to these hosts can hit the redirect ACL and gets redirected to ISE portal page which lets the OS know that there is a captive portal to deal with prior to getting full Internet access. This allows the mini browser or task bar balloon to pop-up for the user to take action, which is better than forcing them to enter a URL manually in the browser. FYI, here are the actual URL for each vendor (May have been changed, since I collected them few years ago:

http://www.msftncsi.com/ncsi.txt (Microsoft)
http://www.msftconnecttest.com/redirect (Microsoft; Windows 10 Edge browser)
http://www.gstatic.com/generate_204 (Google)
http://captive.apple.com/hotspot-detect.html (Apple)
http://nmcheck.gnome.org/check_network_status.txt (Linux)