WSA HTTPS Decryption

HTTPS connections are used to encrypt traffic used for most websites to ensure confidentiality. HTTPS can contain malicious content such as malware/viruses and other threats. The Cisco WSA supports HTTPS decryption, which allows the appliance to view the contents and inspect the traffic.

When using HTTPS decryption on a WSA, there are two different HTTPS connections, one between the user and the WSA and another between the WSA and the web server. The WSA performs the SSL handshake twice. The handshake between the user and the WSA, the WSA sends the client its own certificate, spoofing the requested web server certificate.

The diagram below represents the traffic flow between a client and a HTTPS server that goes through the WSA.

Continue reading “WSA HTTPS Decryption” →

ISE TrustSec using RESTAPI

By default, Cisco ISE uses a PAC file transmitted over RADIUS to exchange TrustSec environment data between ISE and the Network Access Devices (NADs). From ISE version 2.7 and above, ISE now supports exchanging this information using REST API over HTTPS. Using HTTPS to transfer TrustSec environment data is faster, more reliable, and more secure than using RADIUS.

Requirements

• The communication between ISE and the NAD uses tcp/9603 to transfer TrustSec environment over HTTPS using REST.
• Cisco NADs (switches and routers) must be running software version 16.12.2, 17.1.1 or higher.
• The credentials on each NAD used to authenticate to ISE must be unique.

This post will assume that the basic ISE and TrustSec configuration has been applied and will cover enabling exchanging TrustSec environment data using RESTAPI over HTTPS.

The following software versions were used:

• Cisco Identity Services Engine (ISE) 3.0
• Cisco CSR1000v 17.3.1

Continue reading “ISE TrustSec using RESTAPI” →