We're all hardcore network engineers here right? We all sling packets using nothing but the CLI on our gear? We've all got the "CLI OR DIE" bumper sticker? OK. We're all on the same page then. So, when you're configuring Cisco Identity Services Engine (ISE) and the documentation says it's mandatory to enable "ip http server" on your switches in order to do central web authentication (CWA) (ie, the captive portal for authenticating users on guest devices) that probably makes you uncomfortable right?

Fear not. It's not as bad as it sounds. I'll explain why.

First off, yes, the docs are correct, you do have to enable the http and https services on your access switches. CWA does not work if those commands are not present. I found the

admin guide was weak in explaining the need for the http server when doing CWA. It's clear that if you're doing local web auth, where the switch is serving up the portal pages, that you need the http server turned on but it's not totally clear you need that for CWA. The Switch Configuration Required to Support Cisco ISE Functions document does a bit better job.

So that's the bad news. Here's the good news: the users don't actually establish an IP layer connection to the http service on the switch.

CWA works by redirecting the user's browser to the web auth portal running on the ISE Policy Service Node when the user first tries to hit the web. In order for this redirection to happen transparently, the switch needs some help from the http server service. Think of enabling the http server kind of like enabling a feature that allows the switch to do deeper inspection of tcp/80 and tcp/443 packets.

Ok, so the guest users don't hit the http server but the service is still running which means your switches now have two extra tcp ports open on the management plane that they otherwise wouldn't. Well, we can't close the ports, but we can put up an ACL on the management interface which blocks incoming connections to port 80 and 443.

ip access-list extended SWITCH_MGMT
  deny tcp any any eq 80
  deny tcp any any eq 443
  permit ip any any

If you don't care about the ports being open and only want to prevent management of the switch via the web UI, you can turn off the management web pages without turning off the entire http service using these commands:

ip http secure-active-session-modules none
ip http active-session-modules none

So there you go. In this case, you can have your cake and eat it too.