Solved: IOS CWA Redirect - ISE - Safari

spellluck · ‎02-24-2014

I do not believe I can be the only one with this issue, not when I have it at two sites and with the original installs being done by different people.

Is anyone else having issues with Safari properly being redirected to ISE CWA by IOS redirection?

I have this issue on 3750X for wired clients, and on a 3850 NGWC for wireless clients. What makes this unique is that the only thing similar to this deployment is the Macbooks running with Safari.

My troubleshooting seems to point at an issue with Safari not liking the redirect based upon the switch(3850,3750X) certificate. Firefox and Chrome both work without issues on the test Macbooks. I'm unable to find anything in the Bugtoolkit about it.

If using Safari on Cisco switch for CWA is unsupported, please provide a link to Cisco document detailing it.

blenka · ‎02-26-2014

Safari is not supported browser for ISE admin web portal (see http://www.cisco.com/en/US/docs/security/ise/1.2/compatibility/ise_sdt.html#wp113932). Please use Firefox ESR http://www.mozilla.org/en-US/firefox/organizations/all.html

This is a known issue being addressed in ISE 1.3:

CSCty87291 admin web requests id cert when passwd auth only but CA trusted

View solution in original post

blenka · ‎02-26-2014

Safari is not supported browser for ISE admin web portal (see http://www.cisco.com/en/US/docs/security/ise/1.2/compatibility/ise_sdt.html#wp113932). Please use Firefox ESR http://www.mozilla.org/en-US/firefox/organizations/all.html

This is a known issue being addressed in ISE 1.3:

CSCty87291 admin web requests id cert when passwd auth only but CA trusted

spellluck · ‎02-26-2014

Basant,

Thanks for replying, but this isn't a question of managing ISE.

The problem is when Safari is redirected to the Guest Portal - Which according table 8 of what you linked, says it is supported.

The redirect issue does not occur when using a 5508 with traditional WLC code. It is only the IOS Webauth Redirect that is breaking the redirect process and causing Safari to hang.

spellluck · ‎03-27-2014

This issue has been resolved. It turned out that the Macbook was trying to do a crl download to confirm that the certificate was valid. I am pretty sure it was becuase the cheapest GoDaddy certificate was used and the intermediate certificate isn't always found in the default Mac certificate store. Firefox works because they handle CRL checks differently.

I had two different resolutions as I had the problem at two different customers/sites.

First test was allowing access to crl.godaddy.com. After I excluded this IP address from the redirect and permitted it in the dACL - Safari was able to correctly redirect to the CWA portal page.

At another site, due to the centralized management of the Macbooks, we utilized Mac OS X Server to create a profile in Profile Manager that included the GoDaddy Intermediate certificate and pushed that out to all macbooks to resolve the issue.

In addition - and worthy of note. If you are doing posturing and the ISE certificate is not trusted on Apple, the same sort of CRL check will occur and the NAC Agent will never posture the endpoint.

tl;dr - Doublecheck Certificate trust settings on Apple because they are evil.