I am currently working on a Rapid Threat Containment project involving Firepower and ISE to force an infected client to use a different authorization policy with limited access. We then want to redirect a quarantined user to an external web server that can inform the user about the situation. In order to get the redirection to work, we need to enable the http/https server on the switch and this has raised some security concerned. We could prevent management of the switch by using the commands "ip http active-session-modules none" and "ip http secure-active-session-modules none", but that will still leave the ports open and I am looking for an alternative solution to get redirection to work. I have heard about the "walled garden" concept with fake DNS responses and wondering if this could be an alternative? Does anyone have experience with using walled garden for web redirection or know of any other solutions to do redirection without enabling the web server on the switch?
Yes, you can use Auth VLAN feature but in general we recommend using switch's ability to redirect instead for Catalyst devices. Also note that AnyConnect 4.4+ can discover PSN without using URL-redirect so posture can be supported without it. However, you cannot redirect regular web traffic for non AnyConnect posture use cases.