cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2085
Views
5
Helpful
3
Replies
abhishek.marat1
Beginner

Cisco ISE configs for switch

I suppose Cisco ISE sends a URL redirect to the switch and the switch presents it to the client in case of guest Access getting a URL redirect with User Acceptance Page (Wired Guests and not wireless).

My question here is, Do we need to configure http and https server on the switches (both supplicant and authenticator)?

I am sure it will need but just wanted a confirmation..

I have checked the configuration for supplicant and Authenticator switches for ISE and it has no where mentioned that part of the config.

 

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html (a problem of URL redirection and possible cause is mentioned) ------- makes me sure that the config is needed.

 

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html

(config of supplicant and authenticator switch)---- nowhere mentioned of the http/https config for both switches.

1 ACCEPTED SOLUTION

Accepted Solutions
Charles Hill
Rising star

Yes, its needed.  The http/s server within the swtich is used to grab the http user traffic and redirect the traffic to the CWA portal, or a device registration portal, or even to the Mobile Device Management (MDM) onboarding portal.  .

 

ip http server

ip http secure-server

 

The info below I grabbed from Cisco ISE for BYOD and secure unified access book.

"Many organization want to ensure that this redirection process using the switch's internal HTTP server is decoupled from the management of the switch itself, in order to limit the chances of an end user interacting with the management intervace and control plane of a switch.  this may be accomplished by running the following two commands from global configuration mode:

ip http active-session-modules none

ip http secure-active-session-modules none"

View solution in original post

3 REPLIES 3
Charles Hill
Rising star

Yes, its needed.  The http/s server within the swtich is used to grab the http user traffic and redirect the traffic to the CWA portal, or a device registration portal, or even to the Mobile Device Management (MDM) onboarding portal.  .

 

ip http server

ip http secure-server

 

The info below I grabbed from Cisco ISE for BYOD and secure unified access book.

"Many organization want to ensure that this redirection process using the switch's internal HTTP server is decoupled from the management of the switch itself, in order to limit the chances of an end user interacting with the management intervace and control plane of a switch.  this may be accomplished by running the following two commands from global configuration mode:

ip http active-session-modules none

ip http secure-active-session-modules none"

View solution in original post

Thanks Cehill..

Your welcome.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel