Security

Reply
MVP
Posts: 111
Registered: ‎01-27-2016

Cisco switch - Redirect URL - HTTPS

I know a there are a lot of discussions on this topic but I did not see anything that matched this issue exactly. 

 

I am implementing Wired 802.1x/MAB/WebAuth with Clearpass and Cisco switches. 802.1x and MAB work well. I am having difficulty with the URL Redirect when using HTTPS. 

 

I am able to properly send a URL Redirect and a URL Redirect ACL to the switch. These work great if the client tries to browse to a HTTP URL, they are properly redirected to the Clearpass URL. 

 

If a client attempts to browse to an HTTPS URL, the browser says it cannot reach the site. Both IE and Chrome exhibit this issue. 

 

I have IP HTTP SERVER and IP HTTP SECURE-SERVER enabled on the switch. I have tried various versions of iOS. 

 

This seems like a Cisco bug but I would think others would be running intop this same issue. 

 

I have tested on 3560, 3750, 3850 with a few different iOS versions. 

Occasional Contributor I
Posts: 9
Registered: ‎04-05-2016

Re: Cisco switch - Redirect URL - HTTPS

Can you post the ACL on the switch you are using?
MVP
Posts: 111
Registered: ‎01-27-2016

Re: Cisco switch - Redirect URL - HTTPS

I have tried a few different ACL's. Here is the current one...

 

ip access-list extended Web-Redirect
deny udp host 0.0.0.0 host 255.255.255.255 eq bootps
deny udp any any eq domain
deny tcp any host 10.10.1.60
permit tcp any any

 

 

And the auth session details...

 

Interface: GigabitEthernet0/7
MAC Address: 88ae.1dac.83ba
IP Address: 10.10.20.56
User-Name: XXXX\XXXX
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect: https://clearpass.domain.com/guest/posture_check.php?mac=88:ae:1d:ac:83:ba
URL Redirect ACL: Web-Redirect
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A010100000018000F8AD5
Acct Session ID: 0x0000001C
Handle: 0xCB000019

Guru Elite
Posts: 8,329
Registered: ‎09-08-2010

Re: Cisco switch - Redirect URL - HTTPS

Can you try explicitly permitting http and https?

 

ip access-list extended Web-Redirect
deny udp host 0.0.0.0 host 255.255.255.255 eq bootps
deny udp any any eq domain
deny tcp any host 10.10.1.60
permit tcp any any eq www

permit tcp any any eq 443


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 111
Registered: ‎01-27-2016

Re: Cisco switch - Redirect URL - HTTPS

Yes.

 

Same results. HTTP works but HTTPS doesnt. 

 

 

Guru Elite
Posts: 8,329
Registered: ‎09-08-2010

Re: Cisco switch - Redirect URL - HTTPS

Are you able to manually browse to the HTTPS URL?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 111
Registered: ‎01-27-2016

Re: Cisco switch - Redirect URL - HTTPS

oop.. hit wrong button!

 

Yes, I can access the HTTPS URL for Clearpass without issue. 

Occasional Contributor I
Posts: 9
Registered: ‎04-05-2016

Re: Cisco switch - Redirect URL - HTTPS

The ACL does look ok.

Likely you will need to do a pcap or run something like fiddler to get a better idea of what is not working.

Also try something like https://1.1.1.1
HSTS has been causing lots of grief.


Sent from my iPhone
MVP
Posts: 111
Registered: ‎01-27-2016

Re: Cisco switch - Redirect URL - HTTPS

Yeah, HSTS makes sense. I know this has worked in the past. With browsers increasing in security, I can see this breaking things. Still a problem for my client either way!! :-)

 

Same results with https://1.1.1.1 or any real IP. 

 

I enabled HTTP SSL Error debugging on the switch and it does log...

 

%HTTPS: SSL read fail (-6992)

Followed by a lot of....

 %HTTPS: SSL handshake fail (-6992)

 

MVP
Posts: 111
Registered: ‎01-27-2016

Re: Cisco switch - Redirect URL - HTTPS

Posting an update for fellow Airheads...

 

The Cisco switch is sending its own internal Self-Signed Certificate when a client attempts to navigate to an HTTPS site. Due the cert not being signed by a trusted public CA, Google Chrome blocks access citing HSTS with no option to proceed further. I was able to get an older browser, I beleive it was IE to prompt to accept the security warning and move forward. This however will likely not be the case for most users. 

 

I am going to attempt to load a Publically signed certificate onto the switch to see if this will at least give users the browser warning (the site will not match the name on the cert) and allow them to click through. If this works, then this could be a possible alternative solution for customers. 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: