03-12-2018 04:22 AM - edited 02-21-2020 10:48 AM
All,
I have installed Cisco ISE (4.2 with NAM and Posture mods), for some reason my clients (EAP-TLS) are authenticating and authorising fine but some of my clients during authentication are seeing a windows security alert indication that the cert isn't trusted. When I view the cert its the self signed on from the 2960x switch.
I believe an application is trying to contact a server over 443 but why would a switch respond to a client request with its own self signed cert?
Any help would be great, thanks!
03-12-2018 08:43 AM
Hi,
Haven't you enabled/configured ip http and http secure-server commands on the switch?
These commands are needed for redirection. Each time you want to redirect some traffic, the switch would spoof the destination server and would respond on behalf of your destination (the flow must be allowed from the management VLAN to the workstation/data VLAN). :)
Usually, the redirected traffic would be http as in app access, but you might have some apps that are trying some https.
You can give it a go with a specific call home server (I think this was the name of the section) in the posture profile so that you get redirected for a specific destination (that is - http).
Thanks,
Octavian
03-12-2018 10:58 AM
Hi Octavian,
Yes http and http secure server are configured and working.
Also configured are the below commands for disabling web management.
IP HTTP active-session-modules none.
IP HTTP secure-active-session-modules none.
I think the issue is that while clients are redirecting (Posturing/system scan) during remediation an APP is also trying to redirect (HTTP) at the same time and the switch is responding with its cert. I think if I altering the redirect ACL to deny the source that should work (I.E. Bypass redirection).
Any thoughts?
03-13-2018 01:08 AM
Hi,
You could try a SPAN config or directly a wireshark on the endpoint to check where it tries to connect.
(regarding the bypass, you have to deny/bypass based on destination not source)
Thanks,
Octavian
03-16-2018 05:28 AM
Ok,
Tried the deny in the redirect ACL (E.G. do not redirect traffic going to - in my case an F5 VIP) and it worked but the Skype client connects and logs in during posture and compliancy before "network access allowed" is seen.
Does anyone know how to restrict Skype from connecting until the client has passed posture and the client is fully compliant E.G. has received a dACL of permit any any ??
Just a thought could I deny Skype tcp connections in the remediation ACL?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: