Solved: Yes, its needed. The http/s

abhishek.marat1 · ‎03-06-2015

I suppose Cisco ISE sends a URL redirect to the switch and the switch presents it to the client in case of guest Access getting a URL redirect with User Acceptance Page (Wired Guests and not wireless).

My question here is, Do we need to configure http and https server on the switches (both supplicant and authenticator)?

I am sure it will need but just wanted a confirmation..

I have checked the configuration for supplicant and Authenticator switches for ISE and it has no where mentioned that part of the config.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html (a problem of URL redirection and possible cause is mentioned) ------- makes me sure that the config is needed.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html

(config of supplicant and authenticator switch)---- nowhere mentioned of the http/https config for both switches.

Charles Hill · ‎03-06-2015

Yes, its needed. The http/s server within the swtich is used to grab the http user traffic and redirect the traffic to the CWA portal, or a device registration portal, or even to the Mobile Device Management (MDM) onboarding portal. .

ip http server

ip http secure-server

The info below I grabbed from Cisco ISE for BYOD and secure unified access book.

"Many organization want to ensure that this redirection process using the switch's internal HTTP server is decoupled from the management of the switch itself, in order to limit the chances of an end user interacting with the management intervace and control plane of a switch. this may be accomplished by running the following two commands from global configuration mode:

ip http active-session-modules none

ip http secure-active-session-modules none"

View solution in original post

Charles Hill · ‎03-06-2015