RFLRS07#sh run
Building configuration...

Current configuration : 7633 bytes
!
! Last configuration change at 13:26:07 WAT Thu Jul 5 2018 by admin
! NVRAM config last updated at 12:25:19 WAT Thu Jul 5 2018 by admin
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RFLRS07
!
boot-start-marker
boot-end-marker
!
enable secret 5 $K$NaRgBnAaG/Dxxk7h4ndsj.
!
username admin privilege 15 password password
!
!
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
!
!
aaa server radius dynamic-author
 client ise_ip server-key cisco
!
aaa session-id common
clock timezone WAT 1
switch 1 provision ws-c3750g-24ts
system mtu routing 1504
vtp mode transparent
authentication critical recovery delay 1000
ip domain-name ise.domain
!
!
ip dhcp snooping
ip device tracking
!
!
crypto pki trustpoint TP-self-signed-231623424
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-231623424
 revocation-check none
 rsakeypair TP-self-signed-231623424
!
!
crypto pki certificate chain TP-self-signed-231623424
 certificate self-signed 01
  3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32333136 32333432 34301E17 0D393330 33303130 30303231
  325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3233 31363233
  34323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  A5735392 93517322 67E39D2B B635B974 A843ED69 BD6CADF1 4B66E951 0286900B
  4357737F 870360A6 D3CE010C 4B47C1AD 7B5771AF F59C1C8E 8C0E9487 2CB73E10
  AC51FA19 A4C13A5C 80053A87 991746F5 862AA0F7 23D2E5C1 7A69355E C1B1E675
  428EDD4F 16E4E27A 53394858 3D7BDF73 ADC494C9 9BDCC670 FF8CF1D4 6372BA93
  02030100 01A37430 72300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  11041830 16821452 464C5253 30372E6C 61622E61 6F2E6C6F 63616C30 1F060355
  1D230418 30168014 676AB805 6BAE0389 E2405BF3 3BC8463B 8E4D766D 301D0603
  551D0E04 16041467 6AB8056B AE0389E2 405BF33B C8463B8E 4D766D30 0D06092A
  864886F7 0D010104 05000381 81000B76 ABD75D06 01A60AA8 F2012663 0E42324F
  6669462B 72083038 2430D2FB E46ADAB0 1BCFD1A4 4351747F 6637EDE5 6885E276
  A5F6018F 3E46574A A5CD23F8 FD0CBF3D 9CFFC9FD 68C108C0 661F26A9 31CAC900
  7A5709EF 947B21FE 8EB7279C 62A91CB6 D4FF6527 0AF9A864 0AAA971F E10479FF
  7645A0DB 9800E797 C9D55D9B BA96
  quit
dot1x system-auth-control
dot1x critical eapol
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!

vlan 30
 name users
!
vlan 35
 name REDIRECT
!

!
interface GigabitEthernet1/0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/2
 switchport access vlan 35
 switchport mode access
 ip access-group ACL-ALLOW in
 shutdown
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
!
interface GigabitEthernet1/0/3
 switchport access vlan 35
 switchport mode access
 ip access-group ACL-ALLOW in
 shutdown
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
 no ip address
!
interface Vlan50
 ip address x.x.x.x 255.255.255.0
!
ip default-gateway x.x.x.x
ip classless
ip http server
ip http secure-server
ip http secure-active-session-modules none
!
!
ip access-list extended ACL-ALLOW
 permit ip any any
ip access-list extended ACL-POSTURE-REDIRECT
 deny   udp any any eq domain
 deny   udp any host ise_ip eq 8905
 deny   udp any host ise_ip  eq 8906
 deny   tcp any host ise_ip  eq 8443
 deny   tcp any host ise_ip  eq 8905
 permit ip any any
ip access-list extended CORPORATE_REDIRECT
 deny   udp any any eq domain
 deny   ip any host ise_ip 
 permit tcp any any eq www
 deny   ip any any
ip access-list extended NONCORPORATE_REDIRECT
 permit tcp any any eq www
 permit tcp any any eq 443
!
ip radius source-interface Vlan50
!
snmp-server community ciscoro RO
snmp-server trap-source Vlan50
snmp-server source-interface informs Vlan50
snmp-server enable traps mac-notification change move threshold
snmp-server host ise_ip  version 2c cisco  mac-notification
snmp-server host ise_ip  version 2c ciscoro  mac-notification
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host ise_ip  auth-port 1812 acct-port 1813 test username admin key cisco
radius-server vsa send accounting
radius-server vsa send authentication
!
vstack
!
line con 0
line vty 0 4
 transport input all
line vty 5 15
 transport input all
!
ntp clock-period 36029228
ntp server x.x.x.x
end

RFLRS07#
!
RFLRS07#sh authentication sessions int g1/0/3
            Interface:  GigabitEthernet1/0/3
          MAC Address:  2880.2301.638b
           IP Address:  ip_client
            User-Name:  user
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
           Vlan Group:  N/A
              ACS ACL:  xACSACLx-IP-Posture_ACL-5b3de49d
     URL Redirect ACL:  ACL-POSTURE-REDIRECT
         URL Redirect:  https://ise_name:8443/portal/gateway?sessionId=0A0132FA00000021046D2767&portal=0d2ed780-6d90-11e5-978e-005056bf2f0a&action=cpp&token=d8827bbe94c4afe70d2b53faec0d350f
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A0132FA00000021046D2767
      Acct Session ID:  0x0000002B
               Handle:  0x5B000021

Runnable methods list:
       Method   State
       dot1x    Authc Success
!


RFLRS07#terminal monitor
RFLRS07#
Jul  5 11:16:13.128: epm-redirect:epm_redirect_cache_gen_hash: IP=ip_client Hash=284
Jul  5 11:16:13.128: epm-redirect:IP=ip_client: CacheEntryGet Success
Jul  5 11:16:13.128: epm-redirect:IP=ip_client: Ingress packet on [idb= GigabitEthernet1/0/2] matched with [acl=ACL-POSTURE-REDIRECT]
Jul  5 11:16:13.128: epm-redirect:IDB=GigabitEthernet1/0/2: Enqueue the packet with if_input=GigabitEthernet1/0/2
Jul  5 11:16:13.128: epm-redirect:IDB=GigabitEthernet1/0/2: In epm_host_ingress_traffic_process ...
Jul  5 11:16:13.128: epm-redirect:IDB=GigabitEthernet1/0/2: Not an HTTP(s) packet
Jul  5 11:16:14.471: epm-redirect:IDB=GigabitEthernet1/0/2: In epm_host_ingress_traffic_qualify ...
Jul  5 11:16:14.471: epm-redirect:epm_redirect_cache_gen_hash: IP=ip_client Hash=284
Jul  5 11:16:14.471: epm-redirect:IP=ip_client: CacheEntryGet Success
Jul  5 11:16:14.471: epm-redirect:IP=ip_client: Ingress packet on [idb= GigabitEthernet1/0/2] matched with [acl=ACL-POSTURE-REDIRECT]
Jul  5 11:16:14.471: epm-redirect:IDB=GigabitEthernet1/0/2: Enqueue the packet with if_input=GigabitEthernet1/0/2
Jul  5 11:16:14.471: epm-redirect:IDB=GigabitEthernet1/0/2: In epm_host_ingress_traffic_process ...
Jul  5 11:16:14.471: epm-redirect:IDB=GigabitEthernet1/0/2: Not an HTTP(s) packet
Jul  5 11:16:15.016: epm-redirect:IDB=GigabitEthernet1/0/2: In epm_host_ingress_traffic_qualify ...
Jul  5 11:16:15.016: epm-redirect:epm_redirect_cache_gen_hash: IP=ip_client Hash=284
Jul  5 11:16:15.016: epm-redirect:IP=ip_client: CacheEntryGet Success
Jul  5 11:16:15.016: epm-redirect:IP=ip_client: Ingress packet on [idb= GigabitEthernet1/0/2] matched with [acl=ACL-POSTURE-REDIRECT]
Jul  5 11:16:15.016: epm-redirect:IDB=GigabitEthernet1/0/2: Enqueue the packet with if_input=GigabitEthernet1/0/2
Jul  5 11:16:15.016: epm-redirect:IDB=GigabitEthernet1/0/2: In epm_host_ingress_traffic_process ...
Jul  5 11:16:15.016: epm-redirect:IDB=GigabitEthernet1/0/2: Not an HTTP(s) packet
Jul  5 11:16:15.309: epm-redirect:IDB=GigabitEthernet1/0/2: In epm_host_ingress_traffic_qualify ...
Jul  5 11:16:15.309: epm-redirect:epm_redirect_cache_gen_hash: IP=ip_client Hash=284
Jul  5 11:16:15.309: epm-redirect:IP=ip_client: CacheEntryGet Success
Jul  5 11:16:15.309: epm-redirect:IP=ip_client: Ingress packet on [idb= GigabitEthernet1/0/2] matched with [acl=ACL-POSTURE-REDIRECT]
Jul  5 11:16:15.309: epm-redirect:IDB=GigabitEthernet1/0/2: Enqueue the packet with if_input=GigabitEthernet1/0/2
Jul  5 11:16:15.309: epm-redirect:IDB=GigabitEthernet1/0/2: In epm_host_ingress_traffic_process ...
Jul  5 11:16:15.309: epm-redirect:IDB=GigabitEthernet1/0/2: Not an HTTP(s) packet
Jul  5 11:16:15.486: epm-redirect:IDB=GigabitEthernet1/0/2: In epm_host_ingress_traffic_qualify ...
Jul  5 11:16:15.486: epm-redirect:epm_redirect_cache_gen_hash: IP=ip_client Hash=284
Jul  5 11:16:15.486: epm-redirect:IP=ip_client: CacheEntryGet Success
Jul  5 11:16:15.486: epm-redirect:IP=ip_client: Ingress packet on [idb= GigabitEthernet1/0/2] matched with [acl=ACL-POSTURE-REDIRECT]
Jul  5 11:16:15.486: epm-redirect:IDB=GigabitEthernet1/0/2: Enqueue the packet with if_input=GigabitEthernet1/0/2
Jul  5 11:16:15.486: epm-redirect:IDB=GigabitEthernet1/0/2: In epm_host_ingress_traffic_process ...
Jul  5 11:16:15.486: epm-redirect:IDB=GigabitEthernet1/0/2: Not an HTTP(s) packet
Jul  5 11:16:15.704: epm-redirect:IDB=GigabitEthernet1/0/2: In epm_host_ingress_traffic_qualify ...
Jul  5 11:16:15.704: epm-redirect:epm_redirect_cache_gen_hash: IP=ip_client Hash=284
Jul  5 11:16:15.704: epm-redirect:IP=ip_client: CacheEntryGet Success
!
RFLRS07#sh epm session ip ip_client
    Admission feature:  DOT1X
              ACS ACL:  xACSACLx-IP-Posture_ACL-5b3de49d
     URL Redirect ACL:  ACL-POSTURE-REDIRECT
         URL Redirect:  https://ise_domains:8443/portal/gateway?sessionId=0A0132FA0000001D00E3FFE6&portal=0d2ed780-6d90-11e5-978e-005056bf2f0a&action=cpp&token=8934fbe321a9040c7238a448077fbda8
!
!

Switch Ports Model              SW Version            SW Image                 
------ ----- -----              ----------            ----------               
*    1 28    WS-C3750G-24TS     12.2(55)SE12          C3750-IPSERVICESK9-M     
!
!
!