topic It somehow seemed to be a in Network Access Control

ISE Posture Pending

Wesoley — Mon, 11 Mar 2019 07:15:43 GMT

Hello,

I am newly configuring and testing Posturing/Client Provisioning on ISE. I configured Client_Provisioning Policy with a Posture_Policy.

The redirection is being pushed to the switch but when the client opens a webpage they are not redirected to the ISE page.

See configs below

SW#show authentication sessions interface g1/0/44
            Interface: GigabitEthernet1/0/44
          MAC Address: 00b5.6d00.6fc3
           IP Address: 10.128.32.58
            User-Name:  username
               Status: Authz Success
               Domain: DATA
       Oper host mode: multi-auth
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: N/A
              ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-5484c0cc
     URL Redirect ACL: TAC-Redirect
         URL Redirect: https://10.128.1.20:8443/portal/gateway?sessionId=0A80041C00000A053AFFCBAC&portal=a2eef740-7e54-11e4-9ebe-005056bf01c7&action=cpp&token=4d8ad888c678873e7f8455b036b804c5
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A80041C00000A053AFFCBAC
      Acct Session ID: 0x00000AF8
               Handle: 0x9F000A06

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

Extended IP access list TAC-Redirect
    10 deny udp any eq bootpc any eq bootps
    20 deny udp any any eq domain
    30 deny ip any host 10.128.1.20
    40 deny ip any host 10.129.1.20
    50 permit tcp any any eq www
    60 permit tcp any any eq 443
    70 permit tcp any any eq 8443

The dynamic ACL xACSACLx-IP-PERMIT_ALL_TRAFFIC-5484c0cc is a permit ip any any

Any help would be greatly appreciated.

hello ,

saifnetzone — Thu, 01 Dec 2016 09:52:32 GMT

hello ,

kindly access any local server web on your LAN . Most probably you will be redirected .

Saifnetzone,

Wesoley — Thu, 01 Dec 2016 10:52:46 GMT

Saifnetzone,

I will try that this morning. I have always been trying to access a public url. However, I was doing a debug yesterday and look at what I was getting.

http://pastebin.com/4b5gGjR4

USE this ACL

saifnetzone — Thu, 01 Dec 2016 13:21:05 GMT

ISE Version 2.1

I will try it and let you

Wesoley — Thu, 01 Dec 2016 13:21:06 GMT

I will try it and let you know. What version of ISE are you running?

What ACL do you have for your DACL?

It somehow seemed to be a

Wesoley — Sun, 04 Dec 2016 00:53:18 GMT

It somehow seemed to be a routing issue. The customer is doing routing for all VLANs on the core switch but not the one we were testing with. The setup is like this - access switch---->core switch. The default gw of the access switch is the core switch. The core switch has SVIs for all of the other VLANs but not the one we were testing with. Routing for that VLAN is done on the firewall. So I moved the user to another VLAN on the access switch and got the redirection page 🙂 Thanks for your assistance.