cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
956
Views
10
Helpful
4
Replies

Walled garden and Web redirection

Chess Norris
Participant
Participant

I am currently working on a Rapid Threat Containment project involving Firepower and ISE to force an infected client to use a different authorization policy with limited access. We then want to redirect a quarantined user to an external web server that can inform the user about the situation. In order to get the redirection to work, we need to enable the http/https server on the switch and this has raised some security concerned. We could prevent management of the switch by using the commands "ip http active-session-modules none" and "ip http secure-active-session-modules none", but that will still leave the ports open and I am looking for an alternative solution to get redirection to work. I have heard about the "walled garden" concept with fake DNS responses and wondering if this could be an alternative? Does anyone have experience with using walled garden for web redirection or know of any other solutions to do redirection without enabling the web server on the switch?

Thanks

/Jörgen

1 Accepted Solution
4 Replies 4

howon
Cisco Employee
Cisco Employee

Yes, you can use Auth VLAN feature but in general we recommend using switch's ability to redirect instead for Catalyst devices. Also note that AnyConnect 4.4+ can discover PSN without using URL-redirect so posture can be supported without it. However, you cannot redirect regular web traffic for non AnyConnect posture use cases.

Thank you. Do you know any configuration examples for how to configure Auth VLAN web redirection?

 

Best regards

/Jorgen

 

Thank you both for the help
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers