Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
718
Views
0
Helpful
3
Replies

Urgent - NAC+ACS+Web-Auth in Wired environment - https redirection - Certificate Issue

Go to solution
vialves
Cisco Employee
Cisco Employee

‎07-11-2011 10:23 AM - edited ‎03-10-2019 06:13 PM

Hi everyone.

I'm seting up an environment which uses Web-Auth for my wired and wireless networks. I have followed the exact same steps in this Cisco page to get it working:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577490.html

I'm only testing the wired environment right now.

I plug a PC to a port, and I try to get access to a randon internet page (for example www.cisco.com) . It is automatically redirected to authentication page. I type the username and password, but, when authentication passes, it goes automatically to https version of the page, which brings me to the problem. I have to add an exception (continue on this webpage option on IE) to that page in order to continue with the authentication and get the access to the internet. I'm attaching the steps I have to perform:

1.png

2.png

3.png

I think it is related to Certificate, but I'm not quite sure which or where. I'd like to have some advices from you to avoid this problem. I'm not planning to buy any certificates, so if I could skip the https would be great.

Thanks a bunch for your help

Victor Alves

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎07-11-2011 11:09 AM

if you don't want an official cert you need to go for http only. But this means that people paswords will transit in clear on the network.

It's been long time since I tried this but isnt removing "ip http secure-server" doing the trick ?

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎07-11-2011 11:09 AM

if you don't want an official cert you need to go for http only. But this means that people paswords will transit in clear on the network.

It's been long time since I tried this but isnt removing "ip http secure-server" doing the trick ?

0 Helpful

Go to solution
vialves
Cisco Employee
Cisco Employee
In response to Nicolas Darchis

‎07-11-2011 11:20 AM

You simply nailed it! Just removed ip http secure-server command and everything is working as a charm!!

Another question: To get it working with https, I should have a certificate to each access switch I have? A self signed certificate would work?

Thanks a lot for your help! A+++

0 Helpful

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee
In response to vialves

‎07-11-2011 11:08 PM

You need a certificate that your client will trust.

Easy way is to buy one from an official source. All PC browsers have a list of the major cert vendors so that's automatically trusted.

You could issue the certificate yourself also, for free :

-Self signed : the signing authority is the switch ... That means you need all your PCs to trust all your switches. Manual operation ...

-You create an enterprise CA and create a certificate for all your switches : you just need your clients to trust your enterprise CA so that's still a manual task but a simpler one.

When laptops are integrated in a domain, it's usually easier to create your CA on windows server and push the certificates to the clients automatically

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents