cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1808
Views
0
Helpful
4
Replies

Cisco ISE and Cisco 2960X Switches

Jay233
Level 1
Level 1

All,

 

I have installed Cisco ISE (4.2 with NAM and Posture mods), for some reason my clients (EAP-TLS) are authenticating and authorising fine but some of my clients during authentication are seeing a windows security alert indication that the cert isn't trusted. When I view the cert its the self signed on from the 2960x switch.

I believe an application is trying to contact a server over 443 but why would a switch respond to a client request with its own self signed cert?

Any help would be great, thanks!

4 Replies 4

Octavian Szolga
Level 4
Level 4

Hi,

 

Haven't you enabled/configured ip http and http secure-server commands on the switch?

These commands are needed for redirection. Each time you want to redirect some traffic, the switch would spoof the destination server and would respond on behalf of your destination (the flow must be allowed from the management VLAN to the workstation/data VLAN). :)

 

Usually, the redirected traffic would be http as in app access, but you might have some apps that are trying some https.

You can give it a go with a specific call home server (I think this was the name of the section) in the posture profile so that you get redirected for a specific destination (that is - http).

 

Thanks,

Octavian

Hi Octavian,

Yes http and http secure server are configured and working.

Also configured are the below commands for disabling web management.

 

IP HTTP active-session-modules none.

IP HTTP secure-active-session-modules none.

 

I think the issue is that while clients are redirecting (Posturing/system scan) during remediation an APP is also trying to redirect (HTTP) at the same time and the switch is responding with its cert. I think if I altering the redirect ACL to deny the source that should work (I.E. Bypass redirection).

Any thoughts?

Hi,

 

You could try a SPAN config or directly a wireshark on the endpoint to check where it tries to connect.

(regarding the bypass, you have to deny/bypass based on destination not source)

 

Thanks,

Octavian

Ok,

Tried the deny in the redirect ACL (E.G. do not redirect traffic going to - in my case an F5 VIP) and it worked but the Skype client connects and logs in during posture and compliancy before "network access allowed" is seen.

Does anyone know how to restrict Skype from connecting until the client has passed posture and the client is fully compliant E.G. has received a dACL of permit any any ??

 

Just a thought could I deny Skype tcp connections in the remediation ACL? 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: