cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
30102
Views
16
Helpful
10
Replies

ISE Guest CWA and HTTPS redirection

lingya
Cisco Employee
Cisco Employee

Hi Experts,

Since WLC 8.0 it starts to support HTTPS redirection for CWA, post WLC v8.0 the HTTPS redirect is supported but there are concerns about WLC performance by handling large amount of SSL traffic.  As a result , the ISE Guest CWA redirection function heavily now relies on initiating connections to HTTP URL. As more and more web sites are now HTTPS enabled what is the best practice to handle this design? do we have to pick between performance hit by enabling HTTPS redirection on WLC, or force guest to find a HTTP website?

Any guidance is much appreciated!

Ling Yang

2 Accepted Solutions

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Since ISE 2.2 we support Apple captive portal detection for guest, we should promote that instead so users aren’t forced to open up the browser on their own which might have HTTPS based home page.


ISE 2.2 Apple CNA (Captive Network Assistant) Mini-Browser for BYOD/Guest


For enabling

Configuration:

There is a special command on WLC – (WLC)>config network web-auth https-redirect enable

Supported from CUWN firmware version 8.0

You can enable via GUI by going to MANAGEMENT -> HTTP-HTTPS > HTTPS Redirection ‘Enabled’. I think there was a WLC version where the GUI didn’t configure it properly, but seems to have been fixed now.

Configure HTTPS Redirect over Web-auth - Cisco


HTTPS redirect is not a good idea

a) it is evil (you are attempting to hijack a secure connection)
b) it won't work (clients will block your evil hijack attempt)
c) it doesn't scale (generating a forged SSL hijack session for each port 443 connection from each client is a lot of processing requirement) CSCuu78888    Web GUI unresponsive after HTTPS-redirect enabled

d) certificate warnings

Here are couple decent write-ups on topic, as you can see its not just a Cisco issue:

http://community.arubanetworks.com/t5/Technology-Blog/Captive-Portal-why-do-I-get-those-certificate-warnings/ba-p/268921

https://medium.com/@padam.singh/https-based-redirection-and-wi-fi-captive-portals-92cc98a22981

For employees using captive portal inside the organization, the one solution is to have them set their home page to the organization’s internal landing page.

For general guest users, many are built with captive portal detection and will trigger their own browser to avoid commercial browser with an https home page.   Therefore, it is desirable to have portal bypass enabled to avoid such errors.  Also see suggestion to actually block https in redirect state to deny access until CNA or other http request can trigger redirect.

View solution in original post

I don't see any issues using a well known cert on ISE with the Apple Mini Browsers and redirect. Its not recommended to use https redirect because of these issues. https://community.cisco.com/t5/identity-services-engine-ise/ise-guest-cwa-and-https-redirection/td-p/3583892

View solution in original post

10 Replies 10

Jason Kunst
Cisco Employee
Cisco Employee

Since ISE 2.2 we support Apple captive portal detection for guest, we should promote that instead so users aren’t forced to open up the browser on their own which might have HTTPS based home page.


ISE 2.2 Apple CNA (Captive Network Assistant) Mini-Browser for BYOD/Guest


For enabling

Configuration:

There is a special command on WLC – (WLC)>config network web-auth https-redirect enable

Supported from CUWN firmware version 8.0

You can enable via GUI by going to MANAGEMENT -> HTTP-HTTPS > HTTPS Redirection ‘Enabled’. I think there was a WLC version where the GUI didn’t configure it properly, but seems to have been fixed now.

Configure HTTPS Redirect over Web-auth - Cisco


HTTPS redirect is not a good idea

a) it is evil (you are attempting to hijack a secure connection)
b) it won't work (clients will block your evil hijack attempt)
c) it doesn't scale (generating a forged SSL hijack session for each port 443 connection from each client is a lot of processing requirement) CSCuu78888    Web GUI unresponsive after HTTPS-redirect enabled

d) certificate warnings

Here are couple decent write-ups on topic, as you can see its not just a Cisco issue:

http://community.arubanetworks.com/t5/Technology-Blog/Captive-Portal-why-do-I-get-those-certificate-warnings/ba-p/268921

https://medium.com/@padam.singh/https-based-redirection-and-wi-fi-captive-portals-92cc98a22981

For employees using captive portal inside the organization, the one solution is to have them set their home page to the organization’s internal landing page.

For general guest users, many are built with captive portal detection and will trigger their own browser to avoid commercial browser with an https home page.   Therefore, it is desirable to have portal bypass enabled to avoid such errors.  Also see suggestion to actually block https in redirect state to deny access until CNA or other http request can trigger redirect.

hi

i have the same redirect problem on WLC 5700.

these command does not exist on 5700.

config network web-auth captive-bypass {enable | disable}

config network web-auth https-redirect enable



how can i do this cwa redirect apple device for 5700

I would suggest you query the wireless team for their command issues

Also we don’t recommend https redirection

Hi!

There is no this command due to WLC 5760 has IOS XE Software, but not AirOS as on WLC 2504,5520, etc.

Try to enable https by command "ip http secure-server" in conf t.

Thank you!

Hi,

 

We have a similar problem, but are not that worried about ssl-traffic handled by the wlc.

However since the wlc needs to establish a ssl-connection with the client to be able to redirect it to the ISE for login, we get a certificate error on clients not using the apple captive portal detection. 

 

Since the client is sending a GET to, ex Cisco.com and the WLC:s certificate is not issued to cisco.com, you will get a certificate warning when opening your browser on the guest wifi - ie. ISE-CWA. 

A workaround is disabling captive bypass, but what about non- apple clients? 

 

I don't see any issues using a well known cert on ISE with the Apple Mini Browsers and redirect. Its not recommended to use https redirect because of these issues. https://community.cisco.com/t5/identity-services-engine-ise/ise-guest-cwa-and-https-redirection/td-p/3583892

We have a well known certificate(DigiCert) installed in our ISE-environment configured to be used as the web-auth certificate. 

The issue we face in the central web auth is that it is the WLC that sends it's certificate to the client before the client hits the ISE-portal. The WLC has a self signed certificate which of course is not trusted by the client. 

If you click "trust" on the wlc-certificate the client continues to the ISE-portal and gets the ISE-certificate.

 

So my question is, do you need a well known certificate on both the WLC and the ISE for cwa? 

No , you need only on ISE Side


@fabianwickman wrote:

We have a well known certificate(DigiCert) installed in our ISE-environment configured to be used as the web-auth certificate. 

The issue we face in the central web auth is that it is the WLC that sends it's certificate to the client before the client hits the ISE-portal. The WLC has a self signed certificate which of course is not trusted by the client. 

If you click "trust" on the wlc-certificate the client continues to the ISE-portal and gets the ISE-certificate.

 

So my question is, do you need a well known certificate on both the WLC and the ISE for cwa? 


Hi Stefan, hitting the very same issue here. Have you found a solution?

Hi,

We found that disabling “captive bypass enable” solved the issue.
So that the client uses it’s built in function for detecting a web portal.
I don’t know why, but that solved the issue.