topic Re: ISE Posture pending in Network Access Control

ISE Posture pending

Wesoley — Thu, 01 Dec 2016 11:40:01 GMT

Hello,

I am newly configuring and testing Posturing/Client Provisioning on ISE. I configured Client_Provisioning Policy with a Posture_Policy.

The redirection is being pushed to the switch but when the client opens a webpage they are not redirected to the ISE page.

See configs below

SW#show authentication sessions interface g1/0/44
            Interface: GigabitEthernet1/0/44
          MAC Address: 00b5.6d00.6fc3
           IP Address: 10.128.32.58
            User-Name: username
               Status: Authz Success
               Domain: DATA
       Oper host mode: multi-auth
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: N/A
              ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-5484c0cc
     URL Redirect ACL: TAC-Redirect
         URL Redirect: https://10.128.1.20:8443/portal/gateway?sessionId=0A80041C00000A053AFFCB...
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A80041C00000A053AFFCBAC
      Acct Session ID: 0x00000AF8
               Handle: 0x9F000A06

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

Extended IP access list TAC-Redirect
    10 deny udp any eq bootpc any eq bootps
    20 deny udp any any eq domain
    30 deny ip any host 10.128.1.20
    40 deny ip any host 10.129.1.20
    50 permit tcp any any eq www
    60 permit tcp any any eq 443

The dynamic ACL xACSACLx-IP-PERMIT_ALL_TRAFFIC-5484c0cc is a permit ip any any

I did a debug epm logging and debug ip http on the switch and this is what I am getting - [Python] synise - Pastebin.com

Any help would be greatly appreciated.

Re: ISE Posture pending

Neelesh Marathe — Thu, 01 Dec 2016 19:28:09 GMT

Hello Wesley,

What is the version of ISE?

You can check for following

1 if using proxy, try to bypass ISE ip address

2. Check if ISE ip address is reachable from Endpoint on 8443

3. Make sure you have layer 3 connectivity between endpoint subnet and switch management subnet as switch intercept the http traffic and reply on behalf of destination URL.

4. If ISE 2.1, check on ISE if portal is responding on port 8443. Because i have seen issues where port 8443 on ISE stopped working

Thanks,

Neelesh

Re: ISE Posture pending

Neelesh Marathe — Thu, 01 Dec 2016 19:39:16 GMT

Also check if ip http and ip http secure services are enabled on switch

Re: ISE Posture pending

Wesoley — Thu, 01 Dec 2016 21:21:22 GMT

I am using ISE 2.1. I can verify that the client can ping the gateway. The client does not use any proxy server. If I copy and paste the URL in the browser, I get the prompt to download the agent.

I can ping the switch and the ISE server. ip http and http secure server are enabled. Did you check the pastebin above?

Re: ISE Posture pending

DavidCiciora — Sun, 04 Dec 2016 05:56:28 GMT

Could you try to assign a dns name to the psn you are redirecting to and changing your web redirect URL to the dns name Instead of the ip? I believe for redirection to take place that some form of dns resolution has to happen.

ofcourse make sure your client has dns set and can properly resolve what ever url is in your browser when you open it.

ALso, I know for a fact that the initial URL has to be resolvable (let's say your home page was google) before redirection will even take place. I see similar behavor in web authenticated wireless setups when home pages are set to intranet sites and redirection never happens because that's not resolvable on guest wifi.

Re: ISE Posture pending

Wesoley — Sun, 04 Dec 2016 11:56:27 GMT

It somehow seemed to be a routing issue. The setup is like this - access switch---->core switch---->Firewall. The default gw of the access switch is the core switch. The core switch has SVIs for all of the other VLANs but not the one we were testing with. Routing for that VLAN is done on the firewall. So I moved the user to another VLAN on the access switch and got the redirection page . I added an SVI on the core switch and got the redirection page also.

Re: ISE Posture pending

apatel2489 — Mon, 12 Feb 2018 14:42:13 GMT

Hi Dear,

how did you sort it out this issue?

i have same network layout like yours and have same issue with ISE new version but not sure how i can sort it out wth Routing?

Thanks