Cisco 11500 SSL redirection

Similar Messages

• SSL redirect not working?

  Hi,
  have anyone been able to get SSL redirect working in ical and address book server?
  In Apple documentation it says "redirecting ssl access redirects request for the http port and sends them to the https port". But it does not seems to work. Connecting to https port is working.
  Bernt
  Message was edited by: kenguru

  Regarding the redirect, I don't really understand why it's not possible. You can edit the non-SSL website in Web and add a 301 for /Wiki to redirect to https://myserver.com/wiki. In fact you can redirect the entire site to SSL - but that is problematic. I can understand why Mavericks server would be designed to automatically use SSL for wiki logins, if it's available. I only looked at redirects because this was not working. Without a redirect or with a redirect - I can login to Wiki via non-SSL or SSL. Where (specifically in which text file) are these redirects created using Server Admin written to? I can't find them in apache2/httpd.conf. Thanks again for your help.

• Cisco ACE SSL termination

  Hello Friends,
  Need ur help on cisco ACE SSL termination.
  If i import the certificate and key (.PEM), where this files will be saved ?
  can we able to download the .PEM file any time as we need(back-up)?
  suppose if my .PEM is got hacked, hacker is sniffing the data packet which going through the web server, can it be possiable to deencrypt the packet and see the exact packet ?
  Regards,
  Naren

  Naren,
  1. In order to import certs and keys, please see the following link to the command reference.  To summarize, any time you import/export/delete keys/certs, you are doing so via commands in exec mode.  Regarding how and where the ACE actually saves this information, I do not know this answer.
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/execmds.html#wp1616651
  2. You can import a key as non-exportable if you do not want it to be able to be exported. If you import it as exportable, you can always export it later for backups or what not.
  3. You can decrypt captured HTTPS traffic if you have the private key.  It is important to limit access to it.  Please see this link for more info on using Wireshark to view decrypted HTTPS traffic: http://wiki.wireshark.org/SSL
  Hope this helps!
  Regards,
  Matt

• IPhone, Activesync, and OWA SSL Redirection

  I've been banging my head against "Push Mail" since the 2.0 software was released last week. I tried all the answers here, I had Exchange 2003 SP2, my virtual directory was properly configured, OMA working fine, certificate installed on the iPhone, all to no avail.
  I finally figured out the problem with my setup, and despite normally being to lazy to post, I figured I would in case anybody else was having the same problem.
  If your OWA is configured like mine was, I had 2 sites configured on our mail server using host headers; one for SSL only, and one to redirect regular http requests to the SSL site. The iPhone did not work with this setup.
  To get it going, I deleted the secondary "HTTP only" site, and re-configured SSL redirection by allowing non SSL requests to the root of the SSL site, with a default.asp page forcing client-side redirection instead:
  <% Response.Redirect "https://your.mail.server/exchange" %>
  It now works flawlessly.
  This was really irritating to track down, especially with the complete lack of errors on either the phone or the server, but I'm glad it's over. If it helps even one other person out there then it was worth posting about.
  -Tommy
  Message was edited by: JustAGuyNamedTommy

  Hi,
  Based on my research, you can disable SSL 2.0 and force SSL 3.0 in IIS. For more detailed information, please refer to the link below:
  SSL v3 on Windows 2008
  How to disable SSL 2.0 and force SSL 3.0 and TLS 1.0 in IIS
  In addition, it seems that Nokia E5 use
  NetFront Browser v3.5 and NetFront Browser v3.5 supports SSL 2.0 and SSL 3.0. I am not sure of that, you’d better contact your phone vendor for further assistance.
  Best regards,
  Susie

• Cisco 1841 SSL VPN and Anyconnect Help

  I am pretty new to Cisco programming and am trying to get an SSL VPN set up  for remote access using a web browser and using Anyconnect version 3.1.04509. If I try to  connect via a web browser I get an error telling me the security  certificate is not secure. If I try to connect via Anyconnect I get an  error saying "Untrusted VPN Server Blocked." If I change the Anyconnect  settings to allow connections to untrusted servers, I get two errors  that say"Certificate does not match the server name" and "Certificate is  malformed." Below is the running config in the router at this time.  There is another Site-to-Site VPN tunnel that is up and working properly  on this device. Any help would be greatly appreciated. Thanks
  Current configuration : 7741 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname buchanan1841
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  no logging buffered
  enable secret 5 XXXXXXX
  enable password XXXX
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authentication login ciscocp_vpn_xauth_ml_2 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa session-id common
  crypto pki trustpoint buchanan_Certificate
  enrollment selfsigned
  revocation-check crl
  rsakeypair buchanan_rsakey_pairname
  crypto pki certificate chain buchanan_Certificate
  certificate self-signed 01
    30820197 30820141 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    1D311B30 1906092A 864886F7 0D010902 160C6275 6368616E 616E3138 3431301E
    170D3133 30373038 32323330 33335A17 0D323030 31303130 30303030 305A301D
    311B3019 06092A86 4886F70D 01090216 0C627563 68616E61 6E313834 31305C30
    0D06092A 864886F7 0D010101 0500034B 00304802 4100C76B D94BABC2 6D7FB1F1
    AF9AA76F E631B841 7CFEA806 1F52420B 9C83D754 D58393B1 EC02FCA8 BFBE82D6
    79645A32 4ECEDB43 8AEB1590 9CCC309E 17E70061 86150203 010001A3 6C306A30
    0F060355 1D130101 FF040530 030101FF 30170603 551D1104 10300E82 0C627563
    68616E61 6E313834 31301F06 03551D23 04183016 8014AF2E 3FCF66AF C8A43F5F
    97DFABA9 C74371FD 127A301D 0603551D 0E041604 14AF2E3F CF66AFC8 A43F5F97
    DFABA9C7 4371FD12 7A300D06 092A8648 86F70D01 01040500 034100C1 47D2E8B0
    4AC15F69 E8CBE141 E8EE96C5 7BF1EE51 102278B8 ED525185 9F112FA6 0D51F7A6
    3382DB09 8692EEE7 200471B3 BF12FBD0 223EB549 4A352049 513F4B
          quit
  dot11 syslog
  ip source-route
  ip cef
  no ipv6 cef
  multilink bundle-name authenticated
  username buchanan privilege 15 password 0 XXXXX
  username cybera password 0 cybera
  username skapple privilege 15 secret 5 XXXXXXXXXX
  username buckys secret 5 XXXXXXXXXXX
  crypto isakmp policy 1
  encr 3des
  hash md5
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key p2uprEswaspus address XXXXXX
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec transform-set cybera esp-3des esp-md5-hmac
  crypto ipsec profile cybera
  set transform-set cybera
  archive
  log config
    hidekeys
  ip ssh version 1
  interface Tunnel0
  description Cybera WAN - IPSEC Tunnel
  ip address x.x.x.x 255.255.255.252
  ip virtual-reassembly
  tunnel source x.x.x.x
  tunnel destination x.x.x.x
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile cybera
  interface FastEthernet0/0
  description LAN Connection
  ip address 192.168.1.254 255.255.255.0
  ip helper-address 192.168.1.2
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  no mop enabled
  interface FastEthernet0/1
  description WAN Connection
  ip address x.x.x.x 255.255.255.224
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface ATM0/0/0
  no ip address
  shutdown
  atm restart timer 300
  no atm ilmi-keepalive
  interface Virtual-Template2
  ip unnumbered FastEthernet0/0
  ip local pool SDM_POOL_1 192.168.2.1 192.168.2.254
  ip local pool LAN_POOL 192.168.1.50 192.168.1.99
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 x.x.x.x
  ip route 4.71.21.0 255.255.255.224 x.x.x.x
  ip route 10.4.0.0 255.255.0.0 x.x.x.x
  ip route 10.5.0.0 255.255.0.0 x.x.x.x
  ip route x.x.x.x 255.255.240.0 x.x.x.x
  ip route x.x.x.x 255.255.255.255 x.x.x.x
  ip route x.x.x.x 255.255.255.255 x.x.x.x
  ip http server
  no ip http secure-server
  ip nat inside source list 1 interface FastEthernet0/1 overload
  ip nat inside source static tcp 192.168.1.201 22 x.x.x.x 22 extendable
  ip nat inside source static tcp 192.168.1.202 23 x.x.x.x 23 extendable
  access-list 1 permit 192.168.1.0 0.0.0.255
  control-plane
  line con 0
  line aux 0
  line vty 0 4
  password xxxxx
  transport input telnet ssh
  scheduler allocate 20000 1000
  webvpn gateway gateway_1
  ip address x.x.x.x port 443
  http-redirect port 80
  ssl trustpoint buchanan_Certificate
  inservice
  webvpn install svc flash:/webvpn/anyconnect-w
  in-3.1.04059-k9.pkg sequence 1
  webvpn context employees
  secondary-color white
  title-color #CCCC66
  text-color black
  ssl authenticate verify all
  policy group policy_1
     functions svc-enabled
     svc address-pool "LAN_POOL"
     svc default-domain "buchanan.local"
     svc keep-client-installed
     svc dns-server primary 192.168.1.2
     svc wins-server primary 192.168.1.2
  virtual-template 2
  default-group-policy policy_1
  aaa authentication list ciscocp_vpn_xauth_ml_2
  gateway gateway_1
  max-users 10
  inservice
  endbuchanan1841#

  Perhaps you have changed the host-/domainname after the certificate was created?
  I'd generate a new one ...
  Michael
  Please rate all helpful posts

• Cisco IOS SSL VPN Not Working - Internet Explorer

  Hi All,
  I seem to be having a strange SSL VPN issue.  I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7).  Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage".  It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens).  It only seems to work with Firefox.  It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
  Below is the config snippet:
  username vpntest password XXXXX
  aaa authentication login default local
  crypto pki trustpoint TP-self-signed-1873082433
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1873082433
  revocation-check none
  rsakeypair TP-self-signed-1873082433
  crypto pki certificate chain TP-self-signed-1873082433
  certificate self-signed 01
  --- omitted ---
          quit
  webvpn gateway SSLVPN
  hostname Router
  ip address X.X.X.X port 443 
  ssl encryption aes-sha1
  ssl trustpoint TP-self-signed-1873082433
  inservice
  webvpn context SSLVPN
  title "Blah Blah"
  ssl authenticate verify all
  login-message "Enter the magic words..."
  port-forward "PortForwardList"
     local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
  policy group SSL-Policy
     port-forward "PortForwardList" auto-download
  default-group-policy SSL-Policy
  gateway SSLVPN
  max-users 3
  inservice
  I've tried:
  *Enabling SSL 2.0 in IE
  *Adding the site to the Trusted Sites in IE
  *Adding it to the list of sites allowed to use Cookies
  At a loss to figure this out.  Has anyone else come across this before?  Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
  Thanks

  Hi,
  I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
  Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try.

• Cisco AnyConnect SSL VPN no split tunnel and no hairpinning internet access

  Greetings,
  I am looking to configure a Cisco ASA 5515X for Cisco AnyConnect Essentials SSL VPN where ALL SSL-VPN traffic is tunneled, no split tunneling or hairpinning on the outside interface. However users require internet access. I need to route traffic out the "trusted" or "inside" interface to another device that performs content-filtering and inspection which then egresses out to the internet from there. Typically this could be done using a route-map (which ASA's do not support) or with a VRF (again, not an option on the ASA). The default route points to the outside interface toward the internet.
  Is there no other method to force all my SSL-VPN traffic out the inside interface toward LAN subnets as needed and have another default route point toward the filtering device?
  OR 
  Am I forced to put the ASA behind the filtering device somehow?

  Hi Jim,
  You can use tunnel default route for vpn traffic:
  ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled
  configure mode commands/options:
    <1-255>   Distance metric for this route, default is 1
    track     Install route depending on tracked item
    tunneled  Enable the default tunnel gateway option, metric is set to 255
  This route is applicable for only vpn traffic.
  HTH,
  Shetty

• 301 Wiki SSL redirect via Server Admin not working

  I can't get http://myserver.com/wiki to redirect to https://myserver.com/wiki. I have other 301 redirects to send users to https pages working fine. How can I fix this? Thanks for your time - it's much appreciated. (Mavericks/Server Admin 3.1.2)

  Regarding the redirect, I don't really understand why it's not possible. You can edit the non-SSL website in Web and add a 301 for /Wiki to redirect to https://myserver.com/wiki. In fact you can redirect the entire site to SSL - but that is problematic. I can understand why Mavericks server would be designed to automatically use SSL for wiki logins, if it's available. I only looked at redirects because this was not working. Without a redirect or with a redirect - I can login to Wiki via non-SSL or SSL. Where (specifically in which text file) are these redirects created using Server Admin written to? I can't find them in apache2/httpd.conf. Thanks again for your help.

• OHS VirtualHost only SSL - redirect to equivalent of IIS HTTP Error 403.4 - Forbidden: SSL is required to view this resource

  Hi,
  I'm completely new to OHS and have been asked to ensure that a URL that goes to OHS should only be accessible on HTTPS, if accessed by HTTP it should go to the equivalent of IISs
  HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
  As OHS is the frontend to our SOA installation we have specific files under /moduleconf/ for the virtualhosts, an example of one is below. 
  Can anyone give me any clues/best practice to only allow this VirtualHost to be allowed on HTTPS/SSL and to not redirect non SSL to SSL but to an error page like the equivalent mentioned above.
  Any guidance would be greatly appreciated.  Many thanks
  <VirtualHost *:443>
    ServerName testhub.example.com:443
    RewriteEngine On
    RewriteOptions inherit
    RewriteRule ^$ /osb/hub.asmx [NC,P]
    RewriteRule ^/$ /osb/hub.asmx [NC,P]
    RewriteRule ^/hub\.asmx$ /osb/hub.asmx [NC,P]
  <Location /sbinspection.wsil >
    SetHandler weblogic-handler
    WebLogicCluster OSB1:8011,OSB2:8011
  </Location>
  <Location /sbresource >
    SetHandler weblogic-handler
    WebLogicCluster OSB1:8011,OSB2:8011
  </Location>
  <Location /osb >
    SetHandler weblogic-handler
    WebLogicCluster OSB1:8011,OSB2:8011
  </Location>
  <Location /alsb >
    SetHandler weblogic-handler
    WebLogicCluster OSB1:8011,OSB2:8011
  </Location>
  <IfModule ossl_module>
    SSLEngine on
    SSLProtocol nzos_Version_1_0 nzos_Version_3_0_With_2_0_Hello nzos_Version_3_0
    SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AE
  S_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
    SSLVerifyClient none
    SSLWallet  "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/host"
    SSLProxyEngine On
    SSLProxyWallet  "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/host"
    SSLCRLCheck Off
  </IfModule>
  </VirtualHost>

  Use https://221.135.134.52/vodacts/
  That gives me a certificate error because the server doesn't send an intermediate certificate that chains to a build-in root certificate.

• Cisco ISE - CWA redirect in another way than cisco-av-pair?

  Hello.
  I'm trying to set up ISE as a CWA.
  I have made all the rules in both Authenticatin and Authorization, and I also see the clients hitting the right rules. The Authorizaton rule redirects the client to a captive web portal within ISE like this: cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=etc.
  But here is the problem: We use Aerohive as Accesspoints. And Aerohive does not support cisco-av-pair attributtes, since it's Cisco proprietary.
  Therefore, even if ISE says everything is fine, it's not, because Aerohive does not understand what's been sent to it.
  So the big question: Is there way to make the same redirect using standard radius attributes?
  Thank you.

  Unfortunately there isn't. I have done a project with ISE and Aerohive before and outside of basic 802.1x authentications, I was not able to deploy any of the other ISE features. There isn't an interoperability guide for ISE but just a compatibility one:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
  If could be wrong here so if someone else has done this before pls chime in.
  Thank you for rating helpful posts! 

• Cisco RV320 SSL Timeout

  Hi,
  I try to connect my laptop to RV320 by VPN SSL connection.
  Every 8-15 minuets i get session expired, even when I am working. I tried to increase "Login Time" field to 9999 but without success
  The problem also occurs on other computers.
  Any ideas?
  Thanks.

  Thus you are modifying correct value. According related Cisco KB article the "Session Idle Time" value means "enter the time, in minutes, before the existing session terminates after the connection becomes idle".
  > i get session expired, even when I am working
  Isn't your public IP address changed during your work? Changed client IP address (from VPN Router point of view) is considered as good reason for breaking VPN connection.
  Have you tried to use different browser and try to reproduce with same results?

• SSL Redirect Port ?

  Hello All,
  Im a litle confuse, and im not getting there.
  I had this config scheme, and it works fine:
  Every SSL Traffic is ended in SSL Module, and give it back to content as port 80.
  It matchs the content HTTP-Aplj, and sends traffic to service esl0011-7777.
  It works fine, with http and https.
  Then i had tryed many unsucessefully times the following:
  I want that http traffic goes just like the actual config, ending on backend servers on port 7777, but want the https traffic to be redirected to 4443.
  I have done some trys on several parts of the configs, adding new services for 4443 port, ssl-proxy-list, and adding a new content.
  I even got this message, when was trying to active the content SSL.Aplj:
  %% Not all content VIP:Port combinations are configured in a ssl-proxy-list for sslAccel type of services
  Please give me some ideias to achieve this goal.
  The following config is the basic config for the 1st step. The working one.
  Best Regards,
  Bruno Petrónio
  ************** SSL-Proxy-List **************
  ssl-server 90 vip address 10.1.2.136
  ssl-server 90 urlrewrite 1 https:\\10.1.2.136
  ssl-server 90 rsacert xxxxcert
  ssl-server 90 rsakey xxxxkey
  ssl-server 90 cipher rsa-export-with-rc4-40-md5 10.1.2.136 80
  ************** SERVICE **************
  service MODSSL
  slot 2
  type ssl-accel
  keepalive type none
  add ssl-proxy-list ssl1
  active
  service esl0011-7777
  ip address 10.1.1.120
  port 7777
  keepalive type http
  keepalive port 7777
  keepalive uri "/"
  active
  ************** OWNER **************
  owner Test
  content HTTP-Aplj
  vip address 10.1.2.136
  port 80
  protocol tcp
  add service esl0011-7777
  redundancy-l4-stateless
  active
  content SSL-Aplj
  vip address 10.1.2.136
  add service MODSSL
  application ssl
  advanced-balance ssl
  protocol tcp
  port 443
  url "/*"
  redundancy-l4-stateless
  active

  try the following
  ssl-server 90 vip address 10.1.2.136
  ssl-server 90 urlrewrite 1 10.1.2.136
  ssl-server 90 rsacert xxxxcert
  ssl-server 90 rsakey xxxxkey
  ssl-server 90 cipher rsa-export-with-rc4-40-md5 10.1.2.136 4443
  service esl0011-4443
  ip address 10.1.1.120
  port 4443
  keepalive type http
  keepalive uri "/"
  active
  content HTTP-4443
  vip address 10.1.2.136
  port 4443
  protocol tcp
  add service esl0011-4443
  active
  BTW, I also corrected your urlrewrite command as it was incorrect. You need to specify the host. So not http or https in front.
  Gilles.

• Cisco ASA + Printer Redirection

  We are setting up our remote users to connect through our Cisco web portal. After they connect in through the SSL Clientless connection from our ASA, we then have a link for them to launch a Remote Desktop connection to one of our Remote Desktop Servers (OS: Win 2008 R2). Problem is, none of their local printers are coming across this connection into the Remote Desktop session. I know Microsoft requires Remote Desktop 6.1 to be used on client side in order for Easy Print to work, so I have a couple questions...
  1. Does the ASA have it's own built-in Remote Desktop and if so, what version is this? And how do we find the version it's using? Or is it using the local Remote Desktop of the PC? (I don't believe we are using the java-based connection for when launching the remote desktop session).
  2. Is there any special configuration that needs to be done on the ASA to allow local printer connections to come across the pipe and be allowed to show up in the user's remote desktop session?
  Thanks.
  -Ryan

  If the users are using a remote desktop link in the SSL portal, you may need to adjust the RDC parameters:
  http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1127332
  I think if you configure it with ASDM there are options like:
  The parameters available for the ActiveX client used by Microsoft Internet Explorer include:
  •RedirectDrives—Set to true to map remote drives locally.
  •RedirectPrinters—Set to true to map remote printers locally.
  •FullScreen— Set to true to start in FullScreen mode.
  •force_java—Set to yes to force the Java client.

• Cisco ISE URL Redirect Update

  I made a mistake configuring the domain-name on my ISE appliance.  I issued to the no ip domain-name and then added the domain-name I'd like to show up.  It seems to have partially worked, as the FQDN on the appliance is now correct but the redirect URL on my wireless LAN controller is still redirecting to the old domain. 
  EX: WLC redirect: ise1.xyz.net
       ISE FQDN: ise1.abc.net
  Any ideas on how to change that?

  Although you have changed the  domain-name on the ISE appliance but still the output on WLC shows the  older domain for url redirect.The reason behind is that the domain  name(FQDN) which is present as the common name(CN) on the certificate of  the server is still the old-domain name.

• Cisco ISE - CWA Redirect

  Why are the ISE nodes needed to be defined in the web authentication redirect acl that is configured locally on the switch?
  All the documentation that I've found states this. I've setup my 2yr old ISE environment this way and was advised in the beginning to do so. But after thinking the whole authentication process through and then testing out my theories I don't understand why the ISE nodes need to be defined in the switch redirect acl. I am now testing with a simple "redirect www & 443" acl and it is working as expected.
  The client connects to the network and, for our environment, is requested to do dot1x until that times out and then it shifts to mab. At which point, I do not have an authz rule defined for my test machine and therefore matches my catch-all authz rule of CWA which sends a CWA DACL. The switch lays the acls on the interface in this order: 1. Redirect 2. DACL 3. PACL. In my DACL I have access to the ISE nodes allowed (just to be safe) and the redirection still works because my test machine is not sending any www/443 traffic to the ISE nodes that I'm aware of (CWA is 8443).
  Can someone explain (in detail) why a client machine would send www/443 traffic to the ISE nodes and therefore need to be defined in the CWA redirect acl local to the switch.

  Poonam,
  I appreciate the response. I understand the process and flow of CWA but I still don't see why the ISE nodes need to be defined (as deny statements or at all) in the redirect acl that is locally configured on the switch. Let me try to explain it better (sorry for the novel):
  1. a default PACL is statically applied to an unused interface. For my environment our PACL is a simple "permit ip any any" which allows an open fallback in case communication to ISE fails.
  2. A client plugs in and the switch begins talking dot1x to the client. During this time the PACL is the ONLY acl that is applied to the interface/client.
  3. The client does not run dot1x and therefore the switch eventually fails over to mab. At this time, the CWA authz rule comes into effect and ISE sends the DACL to the switch via radius and also references which RACL (redirect acl) to use.
  4. Not many people seem to understand this part....The switch then rebuilds the ACL that is applied to the interface/user. The switch creates an ACL that consists of ALL THREE ACLs. The first portion of this ACL is the RACL with permit statements (which are the deny RACL statements configured on the switch) and then redirect statements (which are the permit RACL statements configured on the switch) and then the DACL from ISE is the next portion of this new ACL and then the very last portion is the original static PACL that is configured on the port.
  Again, I've tested this out over and over again on several different platforms (6500, 3700, 3800) and because, during the stage where the interface is in CWA state, the ACL that is applied to the interface is ALL THREE ACLs in the order of RACL>DACL>PACL....it doesn't seem to make sense that you need to define the ISE nodes in the RACL because all you need to define is what traffic you want to redirect. You define what traffic you want allowed in the DACL which is where you state access to the ISE nodes (either complete access or only 8443 access).
  Let me give you this example. Say I have the following confgured:
  CONFIGURED SWITCH INTERFACE ACL (PACL)
    ip access-list standard ACL-ALLOW
     permit ip any any
  CONFIGURED SWITCH REDIRECT ACL (RACL)
    ip access-list extended ACL-WEBAUTH-REDIRECT
     permit tcp any any eq www 443
  CONFIGURED ISE DOWNLOADABLE ACL (DACL)
    permit tcp any host <psn01> eq 8443
    permit udp any host <dns01> eq 53
    deny ip any any
  Then the process would look like this:
  1. During dot1x negotiation the acl that is used is this:
  permit ip any any     <<<<<PACL
  2. Once CWA is in effect then the acl looks like this:
  redirect tcp host <host ip> any eq www 443             <<<<<<RACL
  permit tcp host <host ip> host <psn01 ip> eq 8443       <<<<<<DACL
  permit udp host <host ip> host <dns01 ip> eq 53       <<<<<<DACL
  deny ip any any      <<<<<<DACL
  permit ip any any      <<<<<<PACL