https://community.cisco.com/t5/network-access-control/ise-cwa-flow-validation/m-p/3575227#M511748 <HTML><HEAD></HEAD><BODY><P>Hi Team,</P><P>I'm working on an ISE POC with a customer and we ran into an issue with ISE CWA on switches without SVI's in the Data/Access VLAN's. The customer is using an ASA as their default GW for all vlans so every vlan needs to go through policy for communication.&nbsp; I have put together the attached flow based on information I have read but would like to verify this is correct and I'm not missing anything. Due to the asymmetry of how URL Redirection works, I can see how this will cause a problem with Firewalls.&nbsp; I have also added some alternative designs in the image.&nbsp; Is there any Best Practice Designs with this type of scenario?&nbsp; Also, Is this flow accurate?</P><P></P><P><IMG alt="ISE CWA Flow_Access Switch WO SVI.jpg" class="image-1 jive-image" src="/legacyfs/online/fusion/115798_ISE CWA Flow_Access Switch WO SVI.jpg" style="height: 349px; width: 620px;" /></P></BODY></HTML> Wed, 07 Mar 2018 17:01:13 GMT tolarosa@cisco.com 2018-03-07T17:01:13Z https://community.cisco.com/t5/network-access-control/ise-cwa-flow-validation/m-p/3575227#M511748 <HTML><HEAD></HEAD><BODY><P>Hi Team,</P><P>I'm working on an ISE POC with a customer and we ran into an issue with ISE CWA on switches without SVI's in the Data/Access VLAN's. The customer is using an ASA as their default GW for all vlans so every vlan needs to go through policy for communication.&nbsp; I have put together the attached flow based on information I have read but would like to verify this is correct and I'm not missing anything. Due to the asymmetry of how URL Redirection works, I can see how this will cause a problem with Firewalls.&nbsp; I have also added some alternative designs in the image.&nbsp; Is there any Best Practice Designs with this type of scenario?&nbsp; Also, Is this flow accurate?</P><P></P><P><IMG alt="ISE CWA Flow_Access Switch WO SVI.jpg" class="image-1 jive-image" src="/legacyfs/online/fusion/115798_ISE CWA Flow_Access Switch WO SVI.jpg" style="height: 349px; width: 620px;" /></P></BODY></HTML> Wed, 07 Mar 2018 17:01:13 GMT https://community.cisco.com/t5/network-access-control/ise-cwa-flow-validation/m-p/3575227#M511748 tolarosa@cisco.com 2018-03-07T17:01:13Z https://community.cisco.com/t5/network-access-control/ise-cwa-flow-validation/m-p/3575228#M511749 <HTML><HEAD></HEAD><BODY><P>Summation is correct and yes, we have seen customer's hit issue when default GW is a firewall due to reasons noted.</P><P>I have also posted a number of flows here <A href="https://community.cisco.com/docs/DOC-76491">ISE Auth-Feature Flows_v1.pdf</A> and similar scenario is highlighted in an "oldie but goody" guide here <A href="https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/app_note_c27-577494.html?dtid=osscdc000283" title="https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/app_note_c27-577494.html?dtid=osscdc000283">IBNS: Web Authentication Deployment and Configuration Guide - Cisco</A> in section titled "TCP Traffic Flow for Login Page When No Layer 3 SVI for Host VLAN Exists on Access Switch".&nbsp;&nbsp; This older guide is talking about local web auth, but the redirection concepts are the same. </P></BODY></HTML> Thu, 08 Mar 2018 05:00:36 GMT https://community.cisco.com/t5/network-access-control/ise-cwa-flow-validation/m-p/3575228#M511749 Craig Hyps 2018-03-08T05:00:36Z