Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
795
Views
10
Helpful
5
Replies

ISE Hotspot / Captive Web Portal with HTTP (not HTTPS)?

Go to solution
Toivo Voll
Level 1
Level 1

‎10-13-2015 06:12 AM - edited ‎03-10-2019 11:09 PM

We're setting up an ISE PoC for a hotspot (guests get redirected to an AUP page, and have to click "accept") and was wondering whether HTTPS (and certs, cert chains and all that stuff) is really necessary for this.

Perhaps I'm missing something obvious, but since there's no actual information (passwords, emails, names) being transferred, what's the need for HTTPS? Is there any way to allow plain old HTTP to the portal?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Antonio Torres
Cisco Employee
Cisco Employee

‎10-15-2015 06:22 AM

Right now this is not possible. ISE is a  security appliance  and HTTP support for Portal flows isn't even on the roadmap.

But that's actually a  good point. I can see some room for an enhancement request to have the ability to disable HTTPS on HotSpots flows if there is no access code enabled(optional)  since there are no credentials to protect during this stage.

View solution in original post

5 Replies 5

Go to solution
Antonio Torres
Cisco Employee
Cisco Employee

‎10-15-2015 06:22 AM

Right now this is not possible. ISE is a  security appliance  and HTTP support for Portal flows isn't even on the roadmap.

But that's actually a  good point. I can see some room for an enhancement request to have the ability to disable HTTPS on HotSpots flows if there is no access code enabled(optional)  since there are no credentials to protect during this stage.

Go to solution
Toivo Voll
Level 1
Level 1
In response to Antonio Torres

‎10-15-2015 06:35 AM

Thanks for the response.

That's our use case; we only need users to agree to an AUP. There's just the "accept" button, no email field, no pin or anything else.

The challenge is that the clients are in private IP space but rely on public DNS, so as far as I can tell either we have to expose the ISE portal interface to the Internet, publish a public DNS record pointing at RFC1918 space or we can't have a valid cert for the guest portal. (Or we have to re-engineer guest DNS to allow for split views, but that's a different group and involves buying things.)

0 Helpful

Go to solution
Antonio Torres
Cisco Employee
Cisco Employee
In response to Toivo Voll

‎10-15-2015 06:41 AM

If you go with exposing ISE  you may select a dedicated interface for the HotSpot portal and even modify the port we'll be listening on  to avoid exposing other flows and management access as well. 

0 Helpful

Go to solution
Toivo Voll
Level 1
Level 1
In response to Antonio Torres

‎10-15-2015 06:44 AM

We have it on a separate interface currently, but I'm still looking for documentation on how to, or whether it's possible to restrict it to guest portal flows only / ACL it within the ISE.

0 Helpful

Go to solution
Antonio Torres
Cisco Employee
Cisco Employee
In response to Toivo Voll

‎10-15-2015 06:55 AM

I can see that from the Linux side  but from ISE application side there is no way you can restrict this based on the interface you're hitting.

0 Helpful
Customers Also Viewed These Support Documents