topic Posture redirection behind IP-Phone in Network Access Control

Posture redirection behind IP-Phone

jay3 — Sun, 08 Mar 2020 14:00:38 GMT

I need assistance in getting URL redirection for client provisioning to work when my PC is connected behind an IP-Phone.Redirection is working fine when the PC is connected directly to the switch but somehow, redirection is not even attempted when the PC is connected to a phone.The portal page is perfectly reachable when I copy and paste it to my browser, even when connected to the phone.

Re: Posture redirection behind IP-Phone

Cristian Matei — Sun, 08 Mar 2020 17:43:19 GMT

Hi,

Post your switch configuration for AAA, RADIUS and port configuration. What phone do you have? Is authentication/authorization successful for both phone and PC?

Regards,

Cristian Matei.

Re: Posture redirection behind IP-Phone

jay3 — Mon, 09 Mar 2020 07:18:54 GMT

Hi Cristian,

Thank you for your response.I tried this with a Cisco IP Phone 7821 & 8945 but still get the same result, authentication and authorization are successful for both the pc and the phone but no redirection.Please find the information you requested attached.

Re: Posture redirection behind IP-Phone

Cristian Matei — Sat, 14 Mar 2020 16:23:33 GMT

Hi,

Per the posted config, it looks like you don't actually enable/enforce authentication on the port. You're missing the following commands at the port-level:

authentication port-control auto

dot1x pae authenticator

mab

What is the output of command "show access-session interface GigabitEthernet1/0/4 detail" or "show authentication-session interface GigabitEthernet1/0/4"?

Use this guide to validate your implementation: https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Regards,

Cristian Matei.

Re: Posture redirection behind IP-Phone

jay3 — Sat, 14 Mar 2020 17:47:22 GMT

Hi Cristian, Thanks again for your response. You seem to have mistakenly missed those three commands.If you check again, you can see that I in fact do have those commands at port level.I have gone through the prescriptive deployment a couple of times but still can't identify the challenge.The output for "show authentication sessions interface g1/0/4 details" is exactly the same with and without the phone, but surprisingly, redirection fails to work behind the phone.

Regards..

Re: Posture redirection behind IP-Phone

Cristian Matei — Sat, 14 Mar 2020 18:22:57 GMT

Hi,

Apologies, i'm sure i looked all the way in the attachment, maybe it was not loaded completely. Anyways, it doesn't matter. Can you try to reconfigure your redirect ACL, so that only HTTP/HTTPS traffic is being redirected to the switch? Depending on how chatty the host is, the switches CPU may be flooded with useless data. So remove "permit ip any any", and add "permit tcp any any eq 80, permit tcp any any eq 443".

Regards,

Cristian Matei.