Solved: Re: URL Redirect ACL not working with proxy settings

Madura Malwatte · ‎09-18-2018

ISE 2.3 patch 4

I'm facing this strange issue when using URL redirect ACL for BYOD when browser proxy settings are enabled. When web redirection is configured in the authorization profile, web traffic passing through without being blocked by the dACL in the same authorization profile. Turning off browser proxy settings and the url redirect to the portal works.

WPAD is configured to automatically set proxy on port 9090 of a VIP where the proxy servers are sitting behind the load-balancer.

I am doing URL redirect ACL to catch web traffic and redirect to mydevices portal which has the device on-boarding. My authorization profile dACL permits dhcp, dns, traffic to psn and blocks everything else:

Extended IP access list xACSACLx-IP-ISE_ONLY-5ba0966a (per-user)
1 permit udp any eq bootpc any eq bootps
2 permit udp any any eq domain
3 permit ip any host 10.2.2.3
4 deny ip any any

The web redirection ACL in the same authorization profile catches port 80 and 443 traffic for the redirection URL:

Extended IP access list ACL_REDIRECT
10 deny udp any eq bootpc any eq bootps
20 deny udp any any eq domain
30 deny ip any host 10.2.2.3
40 permit tcp any any eq www
50 permit tcp any any eq 443
60 deny ip any any

For testing purposes I had my authorization profile with only the dACL (IP-ISE_ONLY) configured (web redirection ACL disabled) traffic does not go out to the internet as expected. But as soon as I enable web redirection with the ACL_REDIRECT ACL, traffic passes to the internet. How is this possible, when the underlying IP-ISE_ONLY ACL has a deny for all traffic except dhcp, dns and ISE psn? What makes turning on web redirection cause traffic to bypass the deny in the ACL and go the internet via proxy?

If I then disable the browser proxy settings the redirect works and I am redirected to the portal.

I only found out later that proxy was being set with WPAD for port 9090, so my original ACL_REDIRECT was not matching the permit www or 443 entries. If I add a permit entry for the proxy - permit tcp any any eq 9090, then traffic does not go to internet nor do I get redirected to the portal.

show access-session int g1/0/1 de
Interface: GigabitEthernet1/0/1
IIF-ID: 0xC7F9C0000004E1
MAC Address: <omitted>.6f32
IPv6 Address: Unknown
IPv4 Address: 10.1.1.2
User-Name: <omitted>-6F-32
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 172800s (local), Remaining: 155773s
Session Uptime: 17127s
Common Session ID: 0A9003140000045F90CE889A
Acct Session ID: 0x000005D8
Handle: 0x1E0003F1
Current Policy: DOT1X

Local Policies:
Service Template: AUTH_SUCCESS (priority 150)

Server Policies:
URL Redirect: https://<omitted>:8443/portal/gateway?sessionId=0A9003140000045F90CE889A&portal=fc014112-ba2f-11e8-a93a-02421a24117d&action=cwa&token=e20b5cc83c929cf48709955d1ec13dfc
URL Redirect ACL: ACL_REDIRECT
ACS ACL: xACSACLx-IP-ISE_ONLY-5ba0966a

Method status list:
Method State

dot1x Stopped
mab Authc Success

paul · ‎09-18-2018

A switch will not be able to redirect the request to a proxy. Even if you add it to the redirect list the switch will have no way to issue a redirect as the traffic is not http or https protocol. The web call is encapsulated into the proxy request.

View solution in original post

paul · ‎09-18-2018

There is a difference between a proxy request and normal HTTP request. Pull up wireshark and look at it. It would be like asking "why is the switch not able to redirect my telnet session to the BYOD portal?" The request needs to be http/https not a proxy request.

View solution in original post

Madura Malwatte · ‎09-18-2018

Okay so I was able to test this out today, and it seems to be working fine - switch is sending the 302 redirect and client initiates a new connection to ISE (however pac file settings puts the connection into a redirect loop because the ise domain is not excluded from proxy - this is separate to ISE, I'll fix up the pac file and confirm the tests again).

I did the following:
- mapped http to port 9090 and enabled http server port 9090
ip port-map http port 9090
ip http port 9090

In the web redirection ACL added an entry to catch the proxy traffic: permit tcp any any eq 9090

This seemed to work when I tested a http website (received the 302 redirect).

Though I am not sure for https traffic, the https port can be mapped as well, but a single port can only be mapped to one or the other. So you can't seem to do the below at the same time:

ip port-map http port 9090

ip port-map https port 9090

Need to do some further testing next week when I get access to the test machine again.

View solution in original post

paul · ‎09-18-2018

A switch will not be able to redirect the request to a proxy. Even if you add it to the redirect list the switch will have no way to issue a redirect as the traffic is not http or https protocol. The web call is encapsulated into the proxy request.

Madura Malwatte · ‎09-18-2018

So you are saying the redirect ACL can only match on port 80 and 443, and not other ports such as 9090 to dish out the redirect?

There is not much difference between a http proxy packet and a non proxy packet, except the port number and URI.

Any way to get this to work? I imagine there must be many implementations with ISE and a proxy server in the network.

paul · ‎09-18-2018

There is a difference between a proxy request and normal HTTP request. Pull up wireshark and look at it. It would be like asking "why is the switch not able to redirect my telnet session to the BYOD portal?" The request needs to be http/https not a proxy request.

Madura Malwatte · ‎09-18-2018

Yeah thats right. Thanks.

I found this -
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117278-troubleshoot-ise-00.html

Where it says "Notice that the switch can only intercept HTTP or HTTPS
traffic that works on standard ports (TCP/80 and TCP/443). If HTTP/HTTPS
works on a nonstandard port, it can be configured with the ip port-map
http command.
Also, the switch must have its HTTP server listen on that port (ip http port
)."

I'll give port-map a go.

paul · ‎09-18-2018

Let us know if it works. I don't think it will because the switch will not recognize the traffic as an HTTP request nor would I think the client would even accept a 302 redirect for a proxy call.

Madura Malwatte · ‎09-18-2018

Okay so I was able to test this out today, and it seems to be working fine - switch is sending the 302 redirect and client initiates a new connection to ISE (however pac file settings puts the connection into a redirect loop because the ise domain is not excluded from proxy - this is separate to ISE, I'll fix up the pac file and confirm the tests again).

I did the following:
- mapped http to port 9090 and enabled http server port 9090
ip port-map http port 9090
ip http port 9090

In the web redirection ACL added an entry to catch the proxy traffic: permit tcp any any eq 9090

This seemed to work when I tested a http website (received the 302 redirect).

Though I am not sure for https traffic, the https port can be mapped as well, but a single port can only be mapped to one or the other. So you can't seem to do the below at the same time:

ip port-map http port 9090

ip port-map https port 9090

Need to do some further testing next week when I get access to the test machine again.

Madura Malwatte · ‎09-26-2018

I was able to test this further and I am seeing some strange behaviour.

As users have a pac file set to proxy on port 9090, my redirect ACL permits "tcp any any eq 9090" to catch the web requests from the client.

I have the following configured:

ip port-map http port 9090
ip http port 9090

With this configuration the url redirect is working if browsing to http sites, however it fails for https sites. For both requests the switch is sending the 302 redirect but its a little bit different. For https sites, the client never connects to the CWA portal, even though if I take a packet capture and copy the redirect link manually into the browser it works.

For the https connection, I can see its missing a trailing part from the 302 - example: "&redirect=http://www.google.comhttp://www.google.com/"

If I configure "ip port-map https port 9090" it doesn't help and breaks http as well, even though the redirect still occurs. Using "ip http secure-port 9090" stops the redirect completely.

However having port 9090 mapped breaks another thing, if we continue ahead with the redirect from http and go through the CWA portal to device on-boarding, during the installation of the Network Setup Assistant it fails with a "Failed to discover ISE" error message. I understand that the nsp utility finds the PSN, by sending an http request to the default gateway and that needs to be redirected. But since the switch's http port is changed to 9090, this http request won't be caught?

paul · ‎09-26-2018

I think you are going to struggle to get this working smoothly, but as far as the default gateway traffic goes you need to make sure you are redirecting port 80 to the default gateway. I usually use "permit tcp any 10.0.0.1 0.255.255.0 eq 80" assuming you are a 10.x.x.x network and your DGs are .1.