ACL To block Web GUI access But Allow ISE Redirection

S Leigh · ‎10-27-2023

Hi all,

I need some assistance with ALC's
So my goal is to have an ACL that blocks access to the switches web gui BUT allows an ISE URL redirection for our guest users.
In order for the redirect we need to have the http and http secure-server active,
This is in relation to bug CSCwh87343
On our devices we have an ACL for web redirect that allows anyone to access http and 443 so here in lies the rub...
If anyone has any thoughts that could point me in the right direction that would be great.

ammahend · ‎10-27-2023

Cisco has started rolling out patch already for the bug you mentioned

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-dublin-17121/221128-software-fix-availability-for-cisco-ios.html

For the guest along with redirect ACL force a dacl from ise that allows port 8443 access to ISE and DNS and deny everything else.

-hope this helps-

Marvin Rhoads · ‎10-30-2023

You can configure the switch per the Best Practices to mitigate the vulnerability.

As noted in the ISE Secure Wired Access Prescriptive Design Guide:

Switch’s internal HTTP/HTTPS server is used for redirection process and its highly encouraged to decouple this service from Switch Management if HTTP/HTTPS isn’t used for Switch Management. You can accomplish this using below CLI’s:

c9300-Sw(config)#ip http active-session-modules none
c9300-Sw(config)#ip http secure-active-session-modules none

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--1376429527