Security

I know a there are a lot of discussions on this topic but I did not see anything that matched this issue exactly. 

 

I am implementing Wired 802.1x/MAB/WebAuth with Clearpass and Cisco switches. 802.1x and MAB work well. I am having difficulty with the URL Redirect when using HTTPS. 

 

I am able to properly send a URL Redirect and a URL Redirect ACL to the switch. These work great if the client tries to browse to a HTTP URL, they are properly redirected to the Clearpass URL. 

 

If a client attempts to browse to an HTTPS URL, the browser says it cannot reach the site. Both IE and Chrome exhibit this issue. 

 

I have IP HTTP SERVER and IP HTTP SECURE-SERVER enabled on the switch. I have tried various versions of iOS. 

 

This seems like a Cisco bug but I would think others would be running intop this same issue. 

 

I have tested on 3560, 3750, 3850 with a few different iOS versions. 

Can you post the ACL on the switch you are using?

I have tried a few different ACL's. Here is the current one...

 

ip access-list extended Web-Redirect
deny udp host 0.0.0.0 host 255.255.255.255 eq bootps
deny udp any any eq domain
deny tcp any host 10.10.1.60
permit tcp any any

 

 

And the auth session details...

 

Interface: GigabitEthernet0/7
MAC Address: 88ae.1dac.83ba
IP Address: 10.10.20.56
User-Name: XXXX\XXXX
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect: https://clearpass.domain.com/guest/posture_check.php?mac=88:ae:1d:ac:83:ba
URL Redirect ACL: Web-Redirect
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A010100000018000F8AD5
Acct Session ID: 0x0000001C
Handle: 0xCB000019

Can you try explicitly permitting http and https?

 

ip access-list extended Web-Redirect
deny udp host 0.0.0.0 host 255.255.255.255 eq bootps
deny udp any any eq domain
deny tcp any host 10.10.1.60
permit tcp any any eq www

permit tcp any any eq 443

Yes.

 

Same results. HTTP works but HTTPS doesnt. 

 

 

Are you able to manually browse to the HTTPS URL?

oop.. hit wrong button!

 

Yes, I can access the HTTPS URL for Clearpass without issue. 

The ACL does look ok.

Likely you will need to do a pcap or run something like fiddler to get a better idea of what is not working.

Also try something like https://1.1.1.1
HSTS has been causing lots of grief.


Sent from my iPhone

Yeah, HSTS makes sense. I know this has worked in the past. With browsers increasing in security, I can see this breaking things. Still a problem for my client either way!! :-)

 

Same results with https://1.1.1.1 or any real IP. 

 

I enabled HTTP SSL Error debugging on the switch and it does log...

 

%HTTPS: SSL read fail (-6992)

Followed by a lot of....

 %HTTPS: SSL handshake fail (-6992)

 

Posting an update for fellow Airheads...

 

The Cisco switch is sending its own internal Self-Signed Certificate when a client attempts to navigate to an HTTPS site. Due the cert not being signed by a trusted public CA, Google Chrome blocks access citing HSTS with no option to proceed further. I was able to get an older browser, I beleive it was IE to prompt to accept the security warning and move forward. This however will likely not be the case for most users. 

 

I am going to attempt to load a Publically signed certificate onto the switch to see if this will at least give users the browser warning (the site will not match the name on the cert) and allow them to click through. If this works, then this could be a possible alternative solution for customers. 

 

Was anyone able to get this working? Is loading the public cert on the switch the answer? 

hi everyone 

 i build the cisco switch and clearpass for web authentication. set the authentication method "allow all mac auth " for unknown mac continuing to go to web-auth. but the swicth does not reveice the redirect url. it just seems like the mac authentication is pass. 

 

do you have any advice ? thanks!!

 

Switch#show authentication sessions interface GigabitEthernet0/20
Interface: GigabitEthernet0/20
MAC Address: 089e.019e.ccfe
IP Address: 10.10.51.129
User-Name: 089e019eccfe
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A33CD0000002000503B57
Acct Session ID: 0x00000001
Handle: 0x49000021

Runnable methods list:
Method State
mab Authc Success