Cisco 11500 SSL redirection
I'm attempting to redirect SSL from the base site to a different page on the same SSL site. I want to redirect https://10.4.16.54/* to https://10.4.16.54/AHC/SitePages/Home.aspx. If I enter https://10.4.16.54/AHC/SitePages/Home.aspx, site loads, but if I enter simply https://10.4.16.54, it times out. The ssl_sharepoint service is my ssl_proxy_list. Thanks for any help.
content Sharepoint_https
flow-timeout-multiplier 10
sticky-inact-timeout 35
vip address 10.4.16.54
application ssl
add service ssl_sharepoint
advanced-balance ssl
url "/*"
port 443
protocol tcp
redirect "/AHC/SitePages/Home.aspx"
active
content Sharepoint_https_redirect
vip address 10.4.16.54
application ssl
advanced-balance ssl
flow-timeout-multiplier 10
sticky-inact-timeout 35
add service ssl_sharepoint
port 443
protocol tcp
url "/AHC/SitePages/Home.aspx"
active
Hi Gary,
First off I'll recommend you to clean up the URL and redirect command from your 443 rules, as 443 is encrypted the CSS is not able to look at layer 5 info within the traffic, making this commands useless for these rules.
That being said; since you're using SSL termination your configuration for HTTPS-to-HTTPS redirect would look like this:
content Sharepoint_https
vip address 10.4.16.54
application ssl
advanced-balance ssl
flow-timeout-multiplier 10
add service ssl_sharepoint
port 443
protocol tcp
active
content Sharepoint_https_redirect
vip address 10.4.16.54
port 80
protocol tcp
url "/*"
redirect "https://10.4.16.54/AHC/SitePages/Home.aspx"
active
content Sharepoint_http_Aspx
vip address 10.4.16.54
port 80
advance-balance arrowpoint-cookie
add service Sharepoint-1
add service Sharepoint-2
protocol tcp
url "/AHC/SitePages/Home.aspx"
active
Here I'm assuming that you're not using backend SSL and your clear port is 80
Basically, traffic comes as https://10.4.16.54, hits the encrypted rule that send the traffic to the SSL proxy list for decryption, once decrypted traffic is sent to the clear text content rule, since there's no URI the request matches the rule with the wildcard URL "/*". This rule performs a redirect an indicates to the client to come back this time with the URI described ... process starts all over but this time the request will match the second clear text rule as the URI is more specific.
HTH
Pablo
Similar Messages
-
SSL redirect not working?
Hi,
have anyone been able to get SSL redirect working in ical and address book server?
In Apple documentation it says "redirecting ssl access redirects request for the http port and sends them to the https port". But it does not seems to work. Connecting to https port is working.
Bernt
Message was edited by: kenguruRegarding the redirect, I don't really understand why it's not possible. You can edit the non-SSL website in Web and add a 301 for /Wiki to redirect to https://myserver.com/wiki. In fact you can redirect the entire site to SSL - but that is problematic. I can understand why Mavericks server would be designed to automatically use SSL for wiki logins, if it's available. I only looked at redirects because this was not working. Without a redirect or with a redirect - I can login to Wiki via non-SSL or SSL. Where (specifically in which text file) are these redirects created using Server Admin written to? I can't find them in apache2/httpd.conf. Thanks again for your help.
-
Hello Friends,
Need ur help on cisco ACE SSL termination.
If i import the certificate and key (.PEM), where this files will be saved ?
can we able to download the .PEM file any time as we need(back-up)?
suppose if my .PEM is got hacked, hacker is sniffing the data packet which going through the web server, can it be possiable to deencrypt the packet and see the exact packet ?
Regards,
NarenNaren,
1. In order to import certs and keys, please see the following link to the command reference. To summarize, any time you import/export/delete keys/certs, you are doing so via commands in exec mode. Regarding how and where the ACE actually saves this information, I do not know this answer.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/execmds.html#wp1616651
2. You can import a key as non-exportable if you do not want it to be able to be exported. If you import it as exportable, you can always export it later for backups or what not.
3. You can decrypt captured HTTPS traffic if you have the private key. It is important to limit access to it. Please see this link for more info on using Wireshark to view decrypted HTTPS traffic: http://wiki.wireshark.org/SSL
Hope this helps!
Regards,
Matt -
IPhone, Activesync, and OWA SSL Redirection
I've been banging my head against "Push Mail" since the 2.0 software was released last week. I tried all the answers here, I had Exchange 2003 SP2, my virtual directory was properly configured, OMA working fine, certificate installed on the iPhone, all to no avail.
I finally figured out the problem with my setup, and despite normally being to lazy to post, I figured I would in case anybody else was having the same problem.
If your OWA is configured like mine was, I had 2 sites configured on our mail server using host headers; one for SSL only, and one to redirect regular http requests to the SSL site. The iPhone did not work with this setup.
To get it going, I deleted the secondary "HTTP only" site, and re-configured SSL redirection by allowing non SSL requests to the root of the SSL site, with a default.asp page forcing client-side redirection instead:
<% Response.Redirect "https://your.mail.server/exchange" %>
It now works flawlessly.
This was really irritating to track down, especially with the complete lack of errors on either the phone or the server, but I'm glad it's over. If it helps even one other person out there then it was worth posting about.
-Tommy
Message was edited by: JustAGuyNamedTommyHi,
Based on my research, you can disable SSL 2.0 and force SSL 3.0 in IIS. For more detailed information, please refer to the link below:
SSL v3 on Windows 2008
How to disable SSL 2.0 and force SSL 3.0 and TLS 1.0 in IIS
In addition, it seems that Nokia E5 use
NetFront Browser v3.5 and NetFront Browser v3.5 supports SSL 2.0 and SSL 3.0. I am not sure of that, you’d better contact your phone vendor for further assistance.
Best regards,
Susie -
Cisco 1841 SSL VPN and Anyconnect Help
I am pretty new to Cisco programming and am trying to get an SSL VPN set up for remote access using a web browser and using Anyconnect version 3.1.04509. If I try to connect via a web browser I get an error telling me the security certificate is not secure. If I try to connect via Anyconnect I get an error saying "Untrusted VPN Server Blocked." If I change the Anyconnect settings to allow connections to untrusted servers, I get two errors that say"Certificate does not match the server name" and "Certificate is malformed." Below is the running config in the router at this time. There is another Site-to-Site VPN tunnel that is up and working properly on this device. Any help would be greatly appreciated. Thanks
Current configuration : 7741 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname buchanan1841
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
enable secret 5 XXXXXXX
enable password XXXX
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
crypto pki trustpoint buchanan_Certificate
enrollment selfsigned
revocation-check crl
rsakeypair buchanan_rsakey_pairname
crypto pki certificate chain buchanan_Certificate
certificate self-signed 01
30820197 30820141 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
1D311B30 1906092A 864886F7 0D010902 160C6275 6368616E 616E3138 3431301E
170D3133 30373038 32323330 33335A17 0D323030 31303130 30303030 305A301D
311B3019 06092A86 4886F70D 01090216 0C627563 68616E61 6E313834 31305C30
0D06092A 864886F7 0D010101 0500034B 00304802 4100C76B D94BABC2 6D7FB1F1
AF9AA76F E631B841 7CFEA806 1F52420B 9C83D754 D58393B1 EC02FCA8 BFBE82D6
79645A32 4ECEDB43 8AEB1590 9CCC309E 17E70061 86150203 010001A3 6C306A30
0F060355 1D130101 FF040530 030101FF 30170603 551D1104 10300E82 0C627563
68616E61 6E313834 31301F06 03551D23 04183016 8014AF2E 3FCF66AF C8A43F5F
97DFABA9 C74371FD 127A301D 0603551D 0E041604 14AF2E3F CF66AFC8 A43F5F97
DFABA9C7 4371FD12 7A300D06 092A8648 86F70D01 01040500 034100C1 47D2E8B0
4AC15F69 E8CBE141 E8EE96C5 7BF1EE51 102278B8 ED525185 9F112FA6 0D51F7A6
3382DB09 8692EEE7 200471B3 BF12FBD0 223EB549 4A352049 513F4B
quit
dot11 syslog
ip source-route
ip cef
no ipv6 cef
multilink bundle-name authenticated
username buchanan privilege 15 password 0 XXXXX
username cybera password 0 cybera
username skapple privilege 15 secret 5 XXXXXXXXXX
username buckys secret 5 XXXXXXXXXXX
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key p2uprEswaspus address XXXXXX
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set cybera esp-3des esp-md5-hmac
crypto ipsec profile cybera
set transform-set cybera
archive
log config
hidekeys
ip ssh version 1
interface Tunnel0
description Cybera WAN - IPSEC Tunnel
ip address x.x.x.x 255.255.255.252
ip virtual-reassembly
tunnel source x.x.x.x
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile cybera
interface FastEthernet0/0
description LAN Connection
ip address 192.168.1.254 255.255.255.0
ip helper-address 192.168.1.2
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description WAN Connection
ip address x.x.x.x 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface ATM0/0/0
no ip address
shutdown
atm restart timer 300
no atm ilmi-keepalive
interface Virtual-Template2
ip unnumbered FastEthernet0/0
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.254
ip local pool LAN_POOL 192.168.1.50 192.168.1.99
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 4.71.21.0 255.255.255.224 x.x.x.x
ip route 10.4.0.0 255.255.0.0 x.x.x.x
ip route 10.5.0.0 255.255.0.0 x.x.x.x
ip route x.x.x.x 255.255.240.0 x.x.x.x
ip route x.x.x.x 255.255.255.255 x.x.x.x
ip route x.x.x.x 255.255.255.255 x.x.x.x
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.201 22 x.x.x.x 22 extendable
ip nat inside source static tcp 192.168.1.202 23 x.x.x.x 23 extendable
access-list 1 permit 192.168.1.0 0.0.0.255
control-plane
line con 0
line aux 0
line vty 0 4
password xxxxx
transport input telnet ssh
scheduler allocate 20000 1000
webvpn gateway gateway_1
ip address x.x.x.x port 443
http-redirect port 80
ssl trustpoint buchanan_Certificate
inservice
webvpn install svc flash:/webvpn/anyconnect-w
in-3.1.04059-k9.pkg sequence 1
webvpn context employees
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
policy group policy_1
functions svc-enabled
svc address-pool "LAN_POOL"
svc default-domain "buchanan.local"
svc keep-client-installed
svc dns-server primary 192.168.1.2
svc wins-server primary 192.168.1.2
virtual-template 2
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_2
gateway gateway_1
max-users 10
inservice
endbuchanan1841#Perhaps you have changed the host-/domainname after the certificate was created?
I'd generate a new one ...
Michael
Please rate all helpful posts -
Cisco IOS SSL VPN Not Working - Internet Explorer
Hi All,
I seem to be having a strange SSL VPN issue. I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7). Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage". It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens). It only seems to work with Firefox. It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
Below is the config snippet:
username vpntest password XXXXX
aaa authentication login default local
crypto pki trustpoint TP-self-signed-1873082433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1873082433
revocation-check none
rsakeypair TP-self-signed-1873082433
crypto pki certificate chain TP-self-signed-1873082433
certificate self-signed 01
--- omitted ---
quit
webvpn gateway SSLVPN
hostname Router
ip address X.X.X.X port 443
ssl encryption aes-sha1
ssl trustpoint TP-self-signed-1873082433
inservice
webvpn context SSLVPN
title "Blah Blah"
ssl authenticate verify all
login-message "Enter the magic words..."
port-forward "PortForwardList"
local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
policy group SSL-Policy
port-forward "PortForwardList" auto-download
default-group-policy SSL-Policy
gateway SSLVPN
max-users 3
inservice
I've tried:
*Enabling SSL 2.0 in IE
*Adding the site to the Trusted Sites in IE
*Adding it to the list of sites allowed to use Cookies
At a loss to figure this out. Has anyone else come across this before? Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
ThanksHi,
I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try. -
Cisco AnyConnect SSL VPN no split tunnel and no hairpinning internet access
Greetings,
I am looking to configure a Cisco ASA 5515X for Cisco AnyConnect Essentials SSL VPN where ALL SSL-VPN traffic is tunneled, no split tunneling or hairpinning on the outside interface. However users require internet access. I need to route traffic out the "trusted" or "inside" interface to another device that performs content-filtering and inspection which then egresses out to the internet from there. Typically this could be done using a route-map (which ASA's do not support) or with a VRF (again, not an option on the ASA). The default route points to the outside interface toward the internet.
Is there no other method to force all my SSL-VPN traffic out the inside interface toward LAN subnets as needed and have another default route point toward the filtering device?
OR
Am I forced to put the ASA behind the filtering device somehow?Hi Jim,
You can use tunnel default route for vpn traffic:
ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled
configure mode commands/options:
<1-255> Distance metric for this route, default is 1
track Install route depending on tracked item
tunneled Enable the default tunnel gateway option, metric is set to 255
This route is applicable for only vpn traffic.
HTH,
Shetty -
301 Wiki SSL redirect via Server Admin not working
I can't get http://myserver.com/wiki to redirect to https://myserver.com/wiki. I have other 301 redirects to send users to https pages working fine. How can I fix this? Thanks for your time - it's much appreciated. (Mavericks/Server Admin 3.1.2)
Regarding the redirect, I don't really understand why it's not possible. You can edit the non-SSL website in Web and add a 301 for /Wiki to redirect to https://myserver.com/wiki. In fact you can redirect the entire site to SSL - but that is problematic. I can understand why Mavericks server would be designed to automatically use SSL for wiki logins, if it's available. I only looked at redirects because this was not working. Without a redirect or with a redirect - I can login to Wiki via non-SSL or SSL. Where (specifically in which text file) are these redirects created using Server Admin written to? I can't find them in apache2/httpd.conf. Thanks again for your help.
-
Hi,
I'm completely new to OHS and have been asked to ensure that a URL that goes to OHS should only be accessible on HTTPS, if accessed by HTTP it should go to the equivalent of IISs
HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
As OHS is the frontend to our SOA installation we have specific files under /moduleconf/ for the virtualhosts, an example of one is below.
Can anyone give me any clues/best practice to only allow this VirtualHost to be allowed on HTTPS/SSL and to not redirect non SSL to SSL but to an error page like the equivalent mentioned above.
Any guidance would be greatly appreciated. Many thanks
<VirtualHost *:443>
ServerName testhub.example.com:443
RewriteEngine On
RewriteOptions inherit
RewriteRule ^$ /osb/hub.asmx [NC,P]
RewriteRule ^/$ /osb/hub.asmx [NC,P]
RewriteRule ^/hub\.asmx$ /osb/hub.asmx [NC,P]
<Location /sbinspection.wsil >
SetHandler weblogic-handler
WebLogicCluster OSB1:8011,OSB2:8011
</Location>
<Location /sbresource >
SetHandler weblogic-handler
WebLogicCluster OSB1:8011,OSB2:8011
</Location>
<Location /osb >
SetHandler weblogic-handler
WebLogicCluster OSB1:8011,OSB2:8011
</Location>
<Location /alsb >
SetHandler weblogic-handler
WebLogicCluster OSB1:8011,OSB2:8011
</Location>
<IfModule ossl_module>
SSLEngine on
SSLProtocol nzos_Version_1_0 nzos_Version_3_0_With_2_0_Hello nzos_Version_3_0
SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AE
S_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
SSLVerifyClient none
SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/host"
SSLProxyEngine On
SSLProxyWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/host"
SSLCRLCheck Off
</IfModule>
</VirtualHost>Use https://221.135.134.52/vodacts/
That gives me a certificate error because the server doesn't send an intermediate certificate that chains to a build-in root certificate. -
Cisco ISE - CWA redirect in another way than cisco-av-pair?
Hello.
I'm trying to set up ISE as a CWA.
I have made all the rules in both Authenticatin and Authorization, and I also see the clients hitting the right rules. The Authorizaton rule redirects the client to a captive web portal within ISE like this: cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=etc.
But here is the problem: We use Aerohive as Accesspoints. And Aerohive does not support cisco-av-pair attributtes, since it's Cisco proprietary.
Therefore, even if ISE says everything is fine, it's not, because Aerohive does not understand what's been sent to it.
So the big question: Is there way to make the same redirect using standard radius attributes?
Thank you.Unfortunately there isn't. I have done a project with ISE and Aerohive before and outside of basic 802.1x authentications, I was not able to deploy any of the other ISE features. There isn't an interoperability guide for ISE but just a compatibility one:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
If could be wrong here so if someone else has done this before pls chime in.
Thank you for rating helpful posts! -
Hi,
I try to connect my laptop to RV320 by VPN SSL connection.
Every 8-15 minuets i get session expired, even when I am working. I tried to increase "Login Time" field to 9999 but without success
The problem also occurs on other computers.
Any ideas?
Thanks.Thus you are modifying correct value. According related Cisco KB article the "Session Idle Time" value means "enter the time, in minutes, before the existing session terminates after the connection becomes idle".
> i get session expired, even when I am working
Isn't your public IP address changed during your work? Changed client IP address (from VPN Router point of view) is considered as good reason for breaking VPN connection.
Have you tried to use different browser and try to reproduce with same results? -
Hello All,
Im a litle confuse, and im not getting there.
I had this config scheme, and it works fine:
Every SSL Traffic is ended in SSL Module, and give it back to content as port 80.
It matchs the content HTTP-Aplj, and sends traffic to service esl0011-7777.
It works fine, with http and https.
Then i had tryed many unsucessefully times the following:
I want that http traffic goes just like the actual config, ending on backend servers on port 7777, but want the https traffic to be redirected to 4443.
I have done some trys on several parts of the configs, adding new services for 4443 port, ssl-proxy-list, and adding a new content.
I even got this message, when was trying to active the content SSL.Aplj:
%% Not all content VIP:Port combinations are configured in a ssl-proxy-list for sslAccel type of services
Please give me some ideias to achieve this goal.
The following config is the basic config for the 1st step. The working one.
Best Regards,
Bruno Petrónio
************** SSL-Proxy-List **************
ssl-server 90 vip address 10.1.2.136
ssl-server 90 urlrewrite 1 https:\\10.1.2.136
ssl-server 90 rsacert xxxxcert
ssl-server 90 rsakey xxxxkey
ssl-server 90 cipher rsa-export-with-rc4-40-md5 10.1.2.136 80
************** SERVICE **************
service MODSSL
slot 2
type ssl-accel
keepalive type none
add ssl-proxy-list ssl1
active
service esl0011-7777
ip address 10.1.1.120
port 7777
keepalive type http
keepalive port 7777
keepalive uri "/"
active
************** OWNER **************
owner Test
content HTTP-Aplj
vip address 10.1.2.136
port 80
protocol tcp
add service esl0011-7777
redundancy-l4-stateless
active
content SSL-Aplj
vip address 10.1.2.136
add service MODSSL
application ssl
advanced-balance ssl
protocol tcp
port 443
url "/*"
redundancy-l4-stateless
activetry the following
ssl-server 90 vip address 10.1.2.136
ssl-server 90 urlrewrite 1 10.1.2.136
ssl-server 90 rsacert xxxxcert
ssl-server 90 rsakey xxxxkey
ssl-server 90 cipher rsa-export-with-rc4-40-md5 10.1.2.136 4443
service esl0011-4443
ip address 10.1.1.120
port 4443
keepalive type http
keepalive uri "/"
active
content HTTP-4443
vip address 10.1.2.136
port 4443
protocol tcp
add service esl0011-4443
active
BTW, I also corrected your urlrewrite command as it was incorrect. You need to specify the host. So not http or https in front.
Gilles. -
Cisco ASA + Printer Redirection
We are setting up our remote users to connect through our Cisco web portal. After they connect in through the SSL Clientless connection from our ASA, we then have a link for them to launch a Remote Desktop connection to one of our Remote Desktop Servers (OS: Win 2008 R2). Problem is, none of their local printers are coming across this connection into the Remote Desktop session. I know Microsoft requires Remote Desktop 6.1 to be used on client side in order for Easy Print to work, so I have a couple questions...
1. Does the ASA have it's own built-in Remote Desktop and if so, what version is this? And how do we find the version it's using? Or is it using the local Remote Desktop of the PC? (I don't believe we are using the java-based connection for when launching the remote desktop session).
2. Is there any special configuration that needs to be done on the ASA to allow local printer connections to come across the pipe and be allowed to show up in the user's remote desktop session?
Thanks.
-RyanIf the users are using a remote desktop link in the SSL portal, you may need to adjust the RDC parameters:
http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1127332
I think if you configure it with ASDM there are options like:
The parameters available for the ActiveX client used by Microsoft Internet Explorer include:
•RedirectDrives—Set to true to map remote drives locally.
•RedirectPrinters—Set to true to map remote printers locally.
•FullScreen— Set to true to start in FullScreen mode.
•force_java—Set to yes to force the Java client. -
I made a mistake configuring the domain-name on my ISE appliance. I issued to the no ip domain-name and then added the domain-name I'd like to show up. It seems to have partially worked, as the FQDN on the appliance is now correct but the redirect URL on my wireless LAN controller is still redirecting to the old domain.
EX: WLC redirect: ise1.xyz.net
ISE FQDN: ise1.abc.net
Any ideas on how to change that?Although you have changed the domain-name on the ISE appliance but still the output on WLC shows the older domain for url redirect.The reason behind is that the domain name(FQDN) which is present as the common name(CN) on the certificate of the server is still the old-domain name.
-
Why are the ISE nodes needed to be defined in the web authentication redirect acl that is configured locally on the switch?
All the documentation that I've found states this. I've setup my 2yr old ISE environment this way and was advised in the beginning to do so. But after thinking the whole authentication process through and then testing out my theories I don't understand why the ISE nodes need to be defined in the switch redirect acl. I am now testing with a simple "redirect www & 443" acl and it is working as expected.
The client connects to the network and, for our environment, is requested to do dot1x until that times out and then it shifts to mab. At which point, I do not have an authz rule defined for my test machine and therefore matches my catch-all authz rule of CWA which sends a CWA DACL. The switch lays the acls on the interface in this order: 1. Redirect 2. DACL 3. PACL. In my DACL I have access to the ISE nodes allowed (just to be safe) and the redirection still works because my test machine is not sending any www/443 traffic to the ISE nodes that I'm aware of (CWA is 8443).
Can someone explain (in detail) why a client machine would send www/443 traffic to the ISE nodes and therefore need to be defined in the CWA redirect acl local to the switch.Poonam,
I appreciate the response. I understand the process and flow of CWA but I still don't see why the ISE nodes need to be defined (as deny statements or at all) in the redirect acl that is locally configured on the switch. Let me try to explain it better (sorry for the novel):
1. a default PACL is statically applied to an unused interface. For my environment our PACL is a simple "permit ip any any" which allows an open fallback in case communication to ISE fails.
2. A client plugs in and the switch begins talking dot1x to the client. During this time the PACL is the ONLY acl that is applied to the interface/client.
3. The client does not run dot1x and therefore the switch eventually fails over to mab. At this time, the CWA authz rule comes into effect and ISE sends the DACL to the switch via radius and also references which RACL (redirect acl) to use.
4. Not many people seem to understand this part....The switch then rebuilds the ACL that is applied to the interface/user. The switch creates an ACL that consists of ALL THREE ACLs. The first portion of this ACL is the RACL with permit statements (which are the deny RACL statements configured on the switch) and then redirect statements (which are the permit RACL statements configured on the switch) and then the DACL from ISE is the next portion of this new ACL and then the very last portion is the original static PACL that is configured on the port.
Again, I've tested this out over and over again on several different platforms (6500, 3700, 3800) and because, during the stage where the interface is in CWA state, the ACL that is applied to the interface is ALL THREE ACLs in the order of RACL>DACL>PACL....it doesn't seem to make sense that you need to define the ISE nodes in the RACL because all you need to define is what traffic you want to redirect. You define what traffic you want allowed in the DACL which is where you state access to the ISE nodes (either complete access or only 8443 access).
Let me give you this example. Say I have the following confgured:
CONFIGURED SWITCH INTERFACE ACL (PACL)
ip access-list standard ACL-ALLOW
permit ip any any
CONFIGURED SWITCH REDIRECT ACL (RACL)
ip access-list extended ACL-WEBAUTH-REDIRECT
permit tcp any any eq www 443
CONFIGURED ISE DOWNLOADABLE ACL (DACL)
permit tcp any host <psn01> eq 8443
permit udp any host <dns01> eq 53
deny ip any any
Then the process would look like this:
1. During dot1x negotiation the acl that is used is this:
permit ip any any <<<<<PACL
2. Once CWA is in effect then the acl looks like this:
redirect tcp host <host ip> any eq www 443 <<<<<<RACL
permit tcp host <host ip> host <psn01 ip> eq 8443 <<<<<<DACL
permit udp host <host ip> host <dns01 ip> eq 53 <<<<<<DACL
deny ip any any <<<<<<DACL
permit ip any any <<<<<<PACL
Maybe you are looking for
-
we are using sheet size 600 * 1280 mm weight of above sheet = 259gms we get effective out put from the above sheet = 177 grms.Balance 82 grms is considered as scrap How to account receipt of material in BOM??? Please advice regards PP
-
Guide file in Applications Folder
I am trying to clean out old software and such from my computer. There is a file in the Applications folder called Guide with a bunch of html items in it. What is this and can I delete it? So much came over from the old computer that I am sure is not
-
Error 15401: Windows NT user or group not found. Check the name again
when adding a windows login on SQL SERVER 2008 R2 below error is throwing Windows NT user or group 'domain\user' not found. Check the name again. I have gone through the link http://support.microsoft.com/kb/324321/en-us & http://support.microsoft.com
-
My requirement is to simply print a long vertical line in the output. If you do this fav you will be rewarded with more points. regards Posh
-
Can i backup more than one iphone using itunes on pc
can i backup more than one iphone using itunes on pc