topic Re: ISE Posture redirect not happening in Network Access Control

ISE Posture redirect not happening

adamgibs7 — Fri, 21 Feb 2020 18:54:54 GMT

Dears,

I am trying to configure the wired posture by anyconnect client but it is not working, the PC hits the unknown authorization policy and remains in the unknown state and the show authentication session int gigX/X displays the redirect url but one thing is strange I get a token keyword in the URL as highlighted below in bold letters but the below link doesn't mentioned any where related to token hence it says that the redirect URL should end with =CPP,

Also the redirect ACL are entered with deny statement for ISE, Anti virus, dhcp,dns,& windows update server on top and then permit http and https

Extended IP access list ACL_REDIRECT
    10 deny udp any eq bootpc any eq bootps
    20 deny udp any any eq domain
    30 deny ip any host <ISE SERVER>
    40 deny ip any host <Anti virus server>
    50 deny ip any host <Windows update>
    60 permit tcp any any eq www (7162 matches)
    70 permit tcp any any eq 443 (106586 matches)
    80 deny ip any any

I m referring to the below link for no pop-up redirection.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/118724-technote-ise-00.html#anc5

S1(config-if)#do sh authentication sessions interface gigabitEthernet 1/0/37 details
            Interface: GigabitEthernet1/0/37
          MAC Address: 9778.9778.9778
         IPv6 Address: FE00::,
         IPv4 Address: 10.10.10.9
            User-Name:  john
               Status: Authorized
               Domain: DATA
       Oper host mode: multi-host
     Oper control dir: both
      Session timeout: N/A
      Restart timeout: N/A
Periodic Acct timeout: N/A
       Session Uptime: 41s
    Common Session ID: AC18058C00000057268F6544
      Acct Session ID: 0x00000409
               Handle: 0x13000038
       Current Policy: POLICY_Gi2/0/37

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
         URL Redirect: https://ISE-PRI.xyz.local:8443/portal/gateway?sessionId=AC18058C00000057268F6544&portal=a6bb0db0-2230-11e6-99ab-005056bf55e0&action=cpp&token=e52d32844af1913bc338fd750a4a4401
     URL Redirect ACL: ACL_REDIRECT
              ACS ACL: xACSACLx-IP-Unknown_State_ACL-5ae84cfc

Method status list:
Method State

dot1x Authc Success

Re: ISE Posture redirect not happening

Octavian Szolga — Wed, 02 May 2018 08:23:43 GMT

Hi,

Does your switch management SVI is allowed to speak with your endpoint?

Make sure you don't enforce any URPF in the path because your redirect will not work.

For redirection to work, your switch will spoof your destination.

Can you please paste your dACL content? (IP-Unknown_State_ACL)

At switch level, the dACL is the first one applied.

Thanks,

Octavian

Re: ISE Posture redirect not happening

adamgibs7 — Wed, 02 May 2018 14:10:13 GMT

Yes it is was enabled but the thing was missing was IP http server and ip https-server commands, but I want to understand why we need a user Vlan SVI on the access switch for redirection due to security perspective it should not , except a mgmt. Vlan for managing the switch.

thanks

Re: ISE Posture redirect not happening

RichardAtkin — Wed, 02 May 2018 14:27:33 GMT

Those commands are required to allow the switch to do the URL redirection in the browser. The Client device needs to be able to communicate with the Switch SVI in order for this to work.

You can stop HTTP/HTTPS from being used for Switch Management while leaving those commands enabled (so url redirects work), by adding the commands;

ip http active-session-modules none

ip http secure-active-session-modules none

Re: ISE Posture redirect not happening

adamgibs7 — Wed, 02 May 2018 15:10:23 GMT

Dear thank u very much

I have a SVI on the ASA firewall then why it is looking on access switch SVI ?? actually I want to understand the reason behind it becz I m sure I have to face audit guys for this question.

Re: ISE Posture redirect not happening

RichardAtkin — Wed, 02 May 2018 16:54:56 GMT

The ASA doesn't have anything to do with anything at this point. The device that authenticates the Client is the device that is responsible for implementing the re-direct ACLs and for doing the actual URL re-direction, ie, the Switch. In order to do the redirection, the Client has to be able to access the switch SVI so it can then be bounced onwards to the ISE via the dynamically supplied URL-Redirect attribute. This is all done seamlessly - the first page the User will see is the ISE page.

Re: ISE Posture redirect not happening

Octavian Szolga — Wed, 02 May 2018 16:56:35 GMT

Hi,

The management SVI of the switch would do the trick.
The switch needs an SVI to source traffic from even though in fact the source IP of the traffic it sends to your PC needing redirection is the IP of the initial website you've requested.

If your switch has only one SVI (the management one) you need to make sure that it can communicate with your endpoint (the traffic is routed, no subject to any unicast reverse path forwarding check and allowed by any firewall in between).

One other approach would be to create on the switch one extra SVI for the same VLAN as for the endpoint (thus L2 adjacent with the endpoint) so that traffic is delivered directly (i.e. Layer2).

This second option does not (obviously) scale.

Regards,

Octavian

Re: ISE Posture redirect not happening

misinsuan2229 — Tue, 23 Oct 2018 09:30:15 GMT

We are currently working with this issue too, any resolution already for this on the ASA anyconnect side? we are getting the webredirection url and acl from ISE posture and client is getting the unknown status but cannot go to the redirection site for posturing.