https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442614#M527008 <HTML><HEAD></HEAD><BODY><P>Not redirecting all port 80 traffic only port 80 traffic to the default gateway. So say your customer’s network is a 10.x.x.x network and their default gateways are .1. Your posture redirect ACL can look like this:</P><P></P><P>ip access-list extended POSTURE-REDIRECT</P><P> permit tcp any 10.0.0.1 0.255.255.0 eq 80</P><P></P><P>That will only redirect port 80 to the DGs. Then your DACL can allow the required access you want before posture is assessed. I believe the DACL is applied before the redirect so a DACL like this should work at a minimum:</P><P></P><P>permit udp any any eq domain</P><P>permit tcp any 10.0.0.1 0.255.255.0 eq 80</P><P>permit ip any host </P><P>etc. to permit traffic to the PSNs</P><P>deny ip any any</P><P></P><P>Not sure what you are blocking in your posture unknown state currently. Blocking too much in the unknown state can break a lot of things.</P><P></P><P></P><P>Paul Haferman</P><P>Office- 920.996.3011</P><P>Cell- 920.284.9250</P></BODY></HTML> Tue, 05 Sep 2017 23:15:13 GMT paul 2017-09-05T23:15:13Z https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442609#M527003 <HTML><HEAD></HEAD><BODY><P style="font-size: 14px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;">I am deploying ISE for a client and they complaint about web browser popping up and redirecting to Clients Provisioning Portal (CPP) on user’s PC during posture. Although, it doesn’t require any user interaction/intervention but it is not desired.</P><P></P><P style="font-size: 14px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;">What can be done to ensure posture stop’s popping up client’s browser and redirecting to CPP?</P></BODY></HTML> Mon, 04 Sep 2017 19:56:53 GMT https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442609#M527003 kajibola 2017-09-04T19:56:53Z https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442610#M527004 <HTML><HEAD></HEAD><BODY><P>Change your redirect ACL on the switch.&nbsp; Assuming you don't need ISE to install the AnyConnect Posture Module (which you really shouldn't) then you don't need to redirect all traffic to the client provisioning portal.&nbsp; You really only need to redirect port 80 to the default gateway to allow posture module discovery to work.&nbsp; You can use a DACL to block the traffic you want preposture.</P></BODY></HTML> Tue, 05 Sep 2017 01:39:08 GMT https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442610#M527004 paul 2017-09-05T01:39:08Z https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442611#M527005 <HTML><HEAD></HEAD><BODY><P>Thanks Paul.</P><P></P><P>I did not understand your solution very well hence couldn't get it to work.</P><P></P><P>What I did was to disable CPP on the authorization policy for posture. In-as-much that Anyconnect is already installed and they don't need anyconnect installation through browser, that solves the issue.</P></BODY></HTML> Tue, 05 Sep 2017 14:51:53 GMT https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442611#M527005 kajibola 2017-09-05T14:51:53Z https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442612#M527006 <HTML><HEAD></HEAD><BODY><P>By removing the CPP redirect you are probably breaking posturing for clients that haven’t postured before. Read up on how posture discovery works in order to understand why the CPP redirect is there and how the ACL on the switch to redirect plays into posture discovery. The sequence for discovery is:</P><P></P><P>1. http discovery probe on port 80 to default gateway if no discovery host</P><P>2. http discovery probe on port 80 to discovery host, if configured (via HTTP Redirect)</P><P>3. https discovery probe on port 8905 to discovery host, if configured</P><P>4. http discovery probe on port 80 to default gateway (via HTTP Redirect)</P><P>5. https reconnect probe on port 8905 to previously contacted ISE Policy Services node</P><P></P><P>You are probably working because you are hitting step 5 and have a previous PSN you reported posture to. New clients won’t have that and they will fail discovery and get “no policy server found” most likely.</P><P></P><P>Paul Haferman</P><P>Office- 920.996.3011</P><P>Cell- 920.284.9250</P></BODY></HTML> Tue, 05 Sep 2017 17:57:12 GMT https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442612#M527006 paul 2017-09-05T17:57:12Z https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442613#M527007 <HTML><HEAD></HEAD><BODY><P>Thanks.</P><P></P><P>I have never tried with a PC that have never contacted ISE before to see if the process will be broken.</P><P></P><P>The initial solution you give which is redirecting only traffic to port 80 and using DACL to block the traffic I don't want pre-posture doesn't work.</P><P></P><P>Any suggestion?</P></BODY></HTML> Tue, 05 Sep 2017 23:05:53 GMT https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442613#M527007 kajibola 2017-09-05T23:05:53Z https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442614#M527008 <HTML><HEAD></HEAD><BODY><P>Not redirecting all port 80 traffic only port 80 traffic to the default gateway. So say your customer’s network is a 10.x.x.x network and their default gateways are .1. Your posture redirect ACL can look like this:</P><P></P><P>ip access-list extended POSTURE-REDIRECT</P><P> permit tcp any 10.0.0.1 0.255.255.0 eq 80</P><P></P><P>That will only redirect port 80 to the DGs. Then your DACL can allow the required access you want before posture is assessed. I believe the DACL is applied before the redirect so a DACL like this should work at a minimum:</P><P></P><P>permit udp any any eq domain</P><P>permit tcp any 10.0.0.1 0.255.255.0 eq 80</P><P>permit ip any host </P><P>etc. to permit traffic to the PSNs</P><P>deny ip any any</P><P></P><P>Not sure what you are blocking in your posture unknown state currently. Blocking too much in the unknown state can break a lot of things.</P><P></P><P></P><P>Paul Haferman</P><P>Office- 920.996.3011</P><P>Cell- 920.284.9250</P></BODY></HTML> Tue, 05 Sep 2017 23:15:13 GMT https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442614#M527008 paul 2017-09-05T23:15:13Z https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442615#M527009 <HTML><HEAD></HEAD><BODY><P style="font-size: 13.3333px;">Try permitting (Not redirecting traffic) for the captive portal detection packet. It depends on the OS but different vendors have different ways to test the network to see if there is a captive network like guest portal that is waiting for user interaction. Typically the OS sends a test packet to a predefined site and see if it gets expected response. If something other than expected response is received then it opens a browser window as it thinks there is a guest portal waiting for user interaction. In general this is not an issue, but ISE posture may take longer than the captive portal test interval which may cause the OS browser to popup.</P><P style="font-size: 13.3333px;">- MS: <A href="http://www.msftncsi.com/ncsi.txt" title="http://www.msftncsi.com/ncsi.txt">http://www.msftncsi.com/ncsi.txt</A></P><P style="font-size: 13.3333px;"><SPAN>- Apple: </SPAN><A class="jive-link-external-small" href="http://captive.apple.com/hotspot-detect.html" rel="nofollow" target="_blank">http://captive.apple.com/hotspot-detect.html</A></P><P style="font-size: 13.3333px;">- Google: <A href="http://www.gstatic.com/generate_204" title="http://www.gstatic.com/generate_204">http://www.gstatic.com/generate_204</A></P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">You just need to find out what IP the host maps to and allow http to the host in the redirect ACL for posture. This will prevent the browser pop-up during posture.</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">Hosuk</P></BODY></HTML> Wed, 06 Sep 2017 15:11:09 GMT https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442615#M527009 howon 2017-09-06T15:11:09Z https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442616#M527010 <HTML><HEAD></HEAD><BODY><P>@Paul, your solution works. Thanks.</P></BODY></HTML> Wed, 06 Sep 2017 20:42:05 GMT https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442616#M527010 kajibola 2017-09-06T20:42:05Z https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442617#M527011 <HTML><HEAD></HEAD><BODY><P>Hello Paul,</P><P></P><P>Once again thanks for the solution, it works perfectly well for the wired deployment.</P><P></P><P>I want to confirm if you have ever implemented it for wireless deployment using the WLC Posture Redirect ACL and Airespace ACL also.</P><P></P><P>I am also planning to implement it on wireless but not yet available to go to site.</P></BODY></HTML> Wed, 27 Sep 2017 07:13:28 GMT https://community.cisco.com/t5/network-access-control/ise-posture-popping-up-browser-and-redirecting-to-cpp-not/m-p/3442617#M527011 kajibola 2017-09-27T07:13:28Z