I do not believe I can be the only one with this issue, not when I have it at two sites and with the original installs being done by different people.
Is anyone else having issues with Safari properly being redirected to ISE CWA by IOS redirection?
I have this issue on 3750X for wired clients, and on a 3850 NGWC for wireless clients. What makes this unique is that the only thing similar to this deployment is the Macbooks running with Safari.
My troubleshooting seems to point at an issue with Safari not liking the redirect based upon the switch(3850,3750X) certificate. Firefox and Chrome both work without issues on the test Macbooks. I'm unable to find anything in the Bugtoolkit about it.
If using Safari on Cisco switch for CWA is unsupported, please provide a link to Cisco document detailing it.
This issue has been resolved. It turned out that the Macbook was trying to do a crl download to confirm that the certificate was valid. I am pretty sure it was becuase the cheapest GoDaddy certificate was used and the intermediate certificate isn't always found in the default Mac certificate store. Firefox works because they handle CRL checks differently.
I had two different resolutions as I had the problem at two different customers/sites.
First test was allowing access to crl.godaddy.com. After I excluded this IP address from the redirect and permitted it in the dACL - Safari was able to correctly redirect to the CWA portal page.
At another site, due to the centralized management of the Macbooks, we utilized Mac OS X Server to create a profile in Profile Manager that included the GoDaddy Intermediate certificate and pushed that out to all macbooks to resolve the issue.
In addition - and worthy of note. If you are doing posturing and the ISE certificate is not trusted on Apple, the same sort of CRL check will occur and the NAC Agent will never posture the endpoint.
tl;dr - Doublecheck Certificate trust settings on Apple because they are evil.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...