https://community.cisco.com/t5/network-access-control/ise-posture-redirect-not-working/m-p/1968719#M187685 <P>ISE v1.1.0.665, 3395 h/w.</P><P>Single Admin/Monitor/Policy node.</P><P>WS-C3560-48TS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 12.2(55)SE5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; C3560-IPBASEK9-M</P><P></P><P>For Client Provisioning I created an authorisation policy as follows:</P><P>download acl "ACL-POSTURE-REMEDIATION"</P><P>apply url redirect "ACL-POSTURE-REDIRECT".</P><P></P><P>"Debug radius" shows all this is downloaded to the switch but:</P><P>- Redirect does not work.</P><P>- dACL is not applied if the URL redirect is also configured.</P><P></P><P>Wireshark on the client shows no direct.</P><P></P><P>Attached file shows "debug radius" for various combinations of authorisation policy i.e. dACL only, Redirect only, dACL + Redirect.</P><P></P><P>I've also attached screen shots of these policies and wireshark.</P> Mon, 11 Mar 2019 02:13:34 GMT grant.maynard 2019-03-11T02:13:34Z https://community.cisco.com/t5/network-access-control/ise-posture-redirect-not-working/m-p/1968719#M187685 <P>ISE v1.1.0.665, 3395 h/w.</P><P>Single Admin/Monitor/Policy node.</P><P>WS-C3560-48TS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 12.2(55)SE5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; C3560-IPBASEK9-M</P><P></P><P>For Client Provisioning I created an authorisation policy as follows:</P><P>download acl "ACL-POSTURE-REMEDIATION"</P><P>apply url redirect "ACL-POSTURE-REDIRECT".</P><P></P><P>"Debug radius" shows all this is downloaded to the switch but:</P><P>- Redirect does not work.</P><P>- dACL is not applied if the URL redirect is also configured.</P><P></P><P>Wireshark on the client shows no direct.</P><P></P><P>Attached file shows "debug radius" for various combinations of authorisation policy i.e. dACL only, Redirect only, dACL + Redirect.</P><P></P><P>I've also attached screen shots of these policies and wireshark.</P> Mon, 11 Mar 2019 02:13:34 GMT https://community.cisco.com/t5/network-access-control/ise-posture-redirect-not-working/m-p/1968719#M187685 grant.maynard 2019-03-11T02:13:34Z https://community.cisco.com/t5/network-access-control/ise-posture-redirect-not-working/m-p/1968720#M187687 <HTML><HEAD></HEAD><BODY><P>Grant,</P><P></P><P>It looks like you are changing the vlan after your client gets an ip address, it seems like the client gets an ip address of </P><P>192.168.16.164 and you are changing the vlan over to 516. I wanted to know if that is there isnt an ip to vlan mismatch before you move forward. If 516 is quarantine vlan you may want to start all clients on that vlan and use dynamic vlan assignment through change of authorization once a client becomes compliant. The reason is is that you can use the web portal, or the nac agent to change the ip address once the vlan is changed.</P><P></P><P>Thanks,</P><P>Tarik Admani</P></BODY></HTML> Sun, 24 Jun 2012 03:51:48 GMT https://community.cisco.com/t5/network-access-control/ise-posture-redirect-not-working/m-p/1968720#M187687 Tarik Admani 2012-06-24T03:51:48Z