Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
30052
Views
16
Helpful
10
Replies

ISE Guest CWA and HTTPS redirection

Go to solution
lingya
Cisco Employee
Cisco Employee

‎03-27-2017 02:58 AM

Hi Experts,

Since WLC 8.0 it starts to support HTTPS redirection for CWA, post WLC v8.0 the HTTPS redirect is supported but there are concerns about WLC performance by handling large amount of SSL traffic.  As a result , the ISE Guest CWA redirection function heavily now relies on initiating connections to HTTP URL. As more and more web sites are now HTTPS enabled what is the best practice to handle this design? do we have to pick between performance hit by enabling HTTPS redirection on WLC, or force guest to find a HTTP website?

Any guidance is much appreciated!

Ling Yang

3 people had this problem
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-27-2017 01:23 PM

Since ISE 2.2 we support Apple captive portal detection for guest, we should promote that instead so users aren’t forced to open up the browser on their own which might have HTTPS based home page.


ISE 2.2 Apple CNA (Captive Network Assistant) Mini-Browser for BYOD/Guest


For enabling

Configuration:

There is a special command on WLC – (WLC)>config network web-auth https-redirect enable

Supported from CUWN firmware version 8.0

You can enable via GUI by going to MANAGEMENT -> HTTP-HTTPS > HTTPS Redirection ‘Enabled’. I think there was a WLC version where the GUI didn’t configure it properly, but seems to have been fixed now.

Configure HTTPS Redirect over Web-auth - Cisco


HTTPS redirect is not a good idea

a) it is evil (you are attempting to hijack a secure connection)
b) it won't work (clients will block your evil hijack attempt)
c) it doesn't scale (generating a forged SSL hijack session for each port 443 connection from each client is a lot of processing requirement) CSCuu78888    Web GUI unresponsive after HTTPS-redirect enabled

d) certificate warnings

Here are couple decent write-ups on topic, as you can see its not just a Cisco issue:

http://community.arubanetworks.com/t5/Technology-Blog/Captive-Portal-why-do-I-get-those-certificate-warnings/ba-p/268921

https://medium.com/@padam.singh/https-based-redirection-and-wi-fi-captive-portals-92cc98a22981

For employees using captive portal inside the organization, the one solution is to have them set their home page to the organization’s internal landing page.

For general guest users, many are built with captive portal detection and will trigger their own browser to avoid commercial browser with an https home page.   Therefore, it is desirable to have portal bypass enabled to avoid such errors.  Also see suggestion to actually block https in redirect state to deny access until CNA or other http request can trigger redirect.

View solution in original post

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to fabianwickman

‎09-13-2018 08:42 AM

I don't see any issues using a well known cert on ISE with the Apple Mini Browsers and redirect. Its not recommended to use https redirect because of these issues. https://community.cisco.com/t5/identity-services-engine-ise/ise-guest-cwa-and-https-redirection/td-p/3583892

View solution in original post

10 Replies 10

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-27-2017 01:23 PM

Since ISE 2.2 we support Apple captive portal detection for guest, we should promote that instead so users aren’t forced to open up the browser on their own which might have HTTPS based home page.


ISE 2.2 Apple CNA (Captive Network Assistant) Mini-Browser for BYOD/Guest


For enabling

Configuration:

There is a special command on WLC – (WLC)>config network web-auth https-redirect enable

Supported from CUWN firmware version 8.0

You can enable via GUI by going to MANAGEMENT -> HTTP-HTTPS > HTTPS Redirection ‘Enabled’. I think there was a WLC version where the GUI didn’t configure it properly, but seems to have been fixed now.

Configure HTTPS Redirect over Web-auth - Cisco


HTTPS redirect is not a good idea

a) it is evil (you are attempting to hijack a secure connection)
b) it won't work (clients will block your evil hijack attempt)
c) it doesn't scale (generating a forged SSL hijack session for each port 443 connection from each client is a lot of processing requirement) CSCuu78888    Web GUI unresponsive after HTTPS-redirect enabled

d) certificate warnings

Here are couple decent write-ups on topic, as you can see its not just a Cisco issue:

http://community.arubanetworks.com/t5/Technology-Blog/Captive-Portal-why-do-I-get-those-certificate-warnings/ba-p/268921

https://medium.com/@padam.singh/https-based-redirection-and-wi-fi-captive-portals-92cc98a22981

For employees using captive portal inside the organization, the one solution is to have them set their home page to the organization’s internal landing page.

For general guest users, many are built with captive portal detection and will trigger their own browser to avoid commercial browser with an https home page.   Therefore, it is desirable to have portal bypass enabled to avoid such errors.  Also see suggestion to actually block https in redirect state to deny access until CNA or other http request can trigger redirect.

Go to solution
murat001
Level 4
Level 4
In response to Jason Kunst

‎12-11-2017 12:46 AM

hi

i have the same redirect problem on WLC 5700.

these command does not exist on 5700.

config network web-auth captive-bypass {enable | disable}

config network web-auth https-redirect enable



how can i do this cwa redirect apple device for 5700

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to murat001

‎12-11-2017 05:33 AM

I would suggest you query the wireless team for their command issues

Also we don’t recommend https redirection

0 Helpful

Go to solution
Anton Kistruga
Level 1
Level 1
In response to murat001

‎12-21-2017 05:34 AM

Hi!

There is no this command due to WLC 5760 has IOS XE Software, but not AirOS as on WLC 2504,5520, etc.

Try to enable https by command "ip http secure-server" in conf t.

Thank you!

0 Helpful

Go to solution
fabianwickman
Level 1
Level 1
In response to Jason Kunst

‎09-13-2018 06:36 AM

Hi,

 

We have a similar problem, but are not that worried about ssl-traffic handled by the wlc.

However since the wlc needs to establish a ssl-connection with the client to be able to redirect it to the ISE for login, we get a certificate error on clients not using the apple captive portal detection. 

 

Since the client is sending a GET to, ex Cisco.com and the WLC:s certificate is not issued to cisco.com, you will get a certificate warning when opening your browser on the guest wifi - ie. ISE-CWA. 

A workaround is disabling captive bypass, but what about non- apple clients? 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to fabianwickman

‎09-13-2018 08:42 AM

I don't see any issues using a well known cert on ISE with the Apple Mini Browsers and redirect. Its not recommended to use https redirect because of these issues. https://community.cisco.com/t5/identity-services-engine-ise/ise-guest-cwa-and-https-redirection/td-p/3583892

Go to solution
fabianwickman
Level 1
Level 1
In response to Jason Kunst

‎10-01-2018 12:46 AM

We have a well known certificate(DigiCert) installed in our ISE-environment configured to be used as the web-auth certificate. 

The issue we face in the central web auth is that it is the WLC that sends it's certificate to the client before the client hits the ISE-portal. The WLC has a self signed certificate which of course is not trusted by the client. 

If you click "trust" on the wlc-certificate the client continues to the ISE-portal and gets the ISE-certificate.

 

So my question is, do you need a well known certificate on both the WLC and the ISE for cwa? 

0 Helpful

Go to solution
ognyan.totev
Level 5
Level 5
In response to fabianwickman

‎10-01-2018 02:31 AM

No , you need only on ISE Side

0 Helpful

Go to solution
Filippo Zangheri
Level 1
Level 1
In response to fabianwickman

‎02-13-2020 09:05 AM

@fabianwickman wrote:

We have a well known certificate(DigiCert) installed in our ISE-environment configured to be used as the web-auth certificate. 

The issue we face in the central web auth is that it is the WLC that sends it's certificate to the client before the client hits the ISE-portal. The WLC has a self signed certificate which of course is not trusted by the client. 

If you click "trust" on the wlc-certificate the client continues to the ISE-portal and gets the ISE-certificate.

 

So my question is, do you need a well known certificate on both the WLC and the ISE for cwa? 

Hi Stefan, hitting the very same issue here. Have you found a solution?

0 Helpful

Go to solution
fabianwickman
Level 1
Level 1
In response to Filippo Zangheri

‎02-14-2020 12:45 AM

Hi,

We found that disabling “captive bypass enable” solved the issue.
So that the client uses it’s built in function for detecting a web portal.
I don’t know why, but that solved the issue.
Customers Also Viewed These Support Documents