10-13-2015 06:12 AM - edited 03-10-2019 11:09 PM
We're setting up an ISE PoC for a hotspot (guests get redirected to an AUP page, and have to click "accept") and was wondering whether HTTPS (and certs, cert chains and all that stuff) is really necessary for this.
Perhaps I'm missing something obvious, but since there's no actual information (passwords, emails, names) being transferred, what's the need for HTTPS? Is there any way to allow plain old HTTP to the portal?
Solved! Go to Solution.
10-15-2015 06:22 AM
Right now this is not possible. ISE is a security appliance and HTTP support for Portal flows isn't even on the roadmap.
But that's actually a good point. I can see some room for an enhancement request to have the ability to disable HTTPS on HotSpots flows if there is no access code enabled(optional) since there are no credentials to protect during this stage.
10-15-2015 06:22 AM
Right now this is not possible. ISE is a security appliance and HTTP support for Portal flows isn't even on the roadmap.
But that's actually a good point. I can see some room for an enhancement request to have the ability to disable HTTPS on HotSpots flows if there is no access code enabled(optional) since there are no credentials to protect during this stage.
10-15-2015 06:35 AM
Thanks for the response.
That's our use case; we only need users to agree to an AUP. There's just the "accept" button, no email field, no pin or anything else.
The challenge is that the clients are in private IP space but rely on public DNS, so as far as I can tell either we have to expose the ISE portal interface to the Internet, publish a public DNS record pointing at RFC1918 space or we can't have a valid cert for the guest portal. (Or we have to re-engineer guest DNS to allow for split views, but that's a different group and involves buying things.)
10-15-2015 06:41 AM
If you go with exposing ISE you may select a dedicated interface for the HotSpot portal and even modify the port we'll be listening on to avoid exposing other flows and management access as well.
10-15-2015 06:44 AM
We have it on a separate interface currently, but I'm still looking for documentation on how to, or whether it's possible to restrict it to guest portal flows only / ACL it within the ISE.
10-15-2015 06:55 AM
I can see that from the Linux side but from ISE application side there is no way you can restrict this based on the interface you're hitting.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide