03-05-2019 06:54 AM
I am currently working on a Rapid Threat Containment project involving Firepower and ISE to force an infected client to use a different authorization policy with limited access. We then want to redirect a quarantined user to an external web server that can inform the user about the situation. In order to get the redirection to work, we need to enable the http/https server on the switch and this has raised some security concerned. We could prevent management of the switch by using the commands "ip http active-session-modules none" and "ip http secure-active-session-modules none", but that will still leave the ports open and I am looking for an alternative solution to get redirection to work. I have heard about the "walled garden" concept with fake DNS responses and wondering if this could be an alternative? Does anyone have experience with using walled garden for web redirection or know of any other solutions to do redirection without enabling the web server on the switch?
Thanks
/Jörgen
Solved! Go to Solution.
05-14-2019 07:59 AM
03-13-2019 02:10 PM
Yes, you can use Auth VLAN feature but in general we recommend using switch's ability to redirect instead for Catalyst devices. Also note that AnyConnect 4.4+ can discover PSN without using URL-redirect so posture can be supported without it. However, you cannot redirect regular web traffic for non AnyConnect posture use cases.
05-14-2019 12:32 AM - edited 05-14-2019 12:33 AM
Thank you. Do you know any configuration examples for how to configure Auth VLAN web redirection?
Best regards
/Jorgen
05-14-2019 07:59 AM
05-15-2019 07:39 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: