https://community.cisco.com/t5/network-access-control/redirection-based-posture/m-p/4102765#M561188 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1059785">@ISEduo</a>&nbsp;,</P> <P>Since redirection is not happening on the switch, let's check a couple of things:</P> <OL> <LI>Do you have Dynamic-Author configured on the switch?</LI> <LI>Are you seeing the end-user's IP address in the output of 'show auth session inter Gi x/y detail' ?</LI> <LI>Are you seeing any packets from the end-user's IP address (take packet captures on the PSN)?</LI> </OL> <P>If you are able to resolve enroll.cisco.com, that's great. The way it will be used is that when the client sends a HTTP-GET request to enroll.cisco.com, it will be redirected by the switch, to the ISE IP.&nbsp;</P> Sat, 13 Jun 2020 20:23:06 GMT Anurag Sharma 2020-06-13T20:23:06Z https://community.cisco.com/t5/network-access-control/redirection-based-posture/m-p/4102732#M561187 <P>Hi, I am seeing a strange behavior of Anyconnect Posture Module. I am trying to do redirection based Posture scan for my clients and it does not work. For some strange reasons clients says enroll.cisco.com timeout from DART logs. I tested that and I can successfully resolve enroll.cisco.com from the client and access posture portal manually from the client browser. But the Posture modules writes "No Policy Server Detected".</P><P>&nbsp;</P><P>It runs with Anyconnect 4.8 and ISE 2.6</P><P>&nbsp;</P><P>I activated both ip http and ip http secure on the switch.</P><P>&nbsp;</P><P>&nbsp;</P><P>My Redirect ACL on SW:</P><P>deny udp any bootpc any eq bootps</P><P>deny udp any any domain</P><P>deny ip any host PSN1</P><P>deny ip any host PSN2</P><P>permit tcp any any eq 80</P><P>&nbsp;</P><P>(I do not see any matches)</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>From DART bundle:</P><P>&nbsp;</P><P>2020/06/11 14:00:29 [Information] aciseagent Function: SwiftHttpRunner::http_discovery_callback Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 385 Level: info Time out for Redirection target 10.10.10.1.<BR />2020/06/11 14:00:29 [Information] aciseagent Function: SwiftHttpRunner::http_discovery_callback Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 385 Level: info Time out for Redirection target ::.<BR />2020/06/11 14:00:29 [Information] aciseagent Function: SwiftHttpRunner::http_discovery_callback Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 385 Level: info Time out for Redirection target enroll.cisco.com.<BR />2020/06/11 14:00:29 [Warning] aciseagent Function: ConfigData::loadXMLCfgFile Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libnaccommon\configdata.cpp Line: 46 Level: warn ISEPostureCFG.xml not found, using defaults.<BR />2020/06/11 14:00:29 [Warning] aciseagent Function: SwiftHttpRunner::addPreviouslyConnectedHeadendsToTargetList Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 750 Level: warn No previously connected headends found.<BR />2020/06/11 14:00:29 [Information] aciseagent Function: SwiftHttpRunner::collectMntTargets Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 1227 Level: debug Probing MNT stage targets (#1): Ng-Discovery target enroll.cisco.com with path /auth/ng-discovery, .<BR />2020/06/11 14:00:29 [Information] aciseagent Function: SwiftHttpRunner::probeNextMntTarget Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 1456 Level: debug Probing Mnt stage Ng-Discovery target enroll.cisco.com with path /auth/ng-discovery.</P> Sat, 13 Jun 2020 18:21:22 GMT https://community.cisco.com/t5/network-access-control/redirection-based-posture/m-p/4102732#M561187 ISEduo 2020-06-13T18:21:22Z https://community.cisco.com/t5/network-access-control/redirection-based-posture/m-p/4102765#M561188 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1059785">@ISEduo</a>&nbsp;,</P> <P>Since redirection is not happening on the switch, let's check a couple of things:</P> <OL> <LI>Do you have Dynamic-Author configured on the switch?</LI> <LI>Are you seeing the end-user's IP address in the output of 'show auth session inter Gi x/y detail' ?</LI> <LI>Are you seeing any packets from the end-user's IP address (take packet captures on the PSN)?</LI> </OL> <P>If you are able to resolve enroll.cisco.com, that's great. The way it will be used is that when the client sends a HTTP-GET request to enroll.cisco.com, it will be redirected by the switch, to the ISE IP.&nbsp;</P> Sat, 13 Jun 2020 20:23:06 GMT https://community.cisco.com/t5/network-access-control/redirection-based-posture/m-p/4102765#M561188 Anurag Sharma 2020-06-13T20:23:06Z https://community.cisco.com/t5/network-access-control/redirection-based-posture/m-p/4102767#M561189 <P>Hi Anurag,</P><P>&nbsp;</P><P>See my answers below.</P><P>&nbsp;</P><OL><LI>Do you have Dynamic-Author configured on the switch? <STRONG>Yes</STRONG></LI><LI>Are you seeing the end-user's IP address in the output of 'show auth session inter Gi x/y detail' ? <STRONG>Yes, I do. I also see the session ID and URL for the portal.</STRONG></LI><LI>Are you seeing any packets from the end-user's IP address (take packet captures on the PSN)? <STRONG>I dident test this.</STRONG></LI></OL><P>&nbsp;</P><P><STRONG>Thanks !</STRONG></P> Sat, 13 Jun 2020 20:50:05 GMT https://community.cisco.com/t5/network-access-control/redirection-based-posture/m-p/4102767#M561189 ISEduo 2020-06-13T20:50:05Z https://community.cisco.com/t5/network-access-control/redirection-based-posture/m-p/4102776#M561191 <P>Make sure the redirect ACL name is exactly the same as the one on the switch. Any typo, upper/lower-case mismatch can also be a problem.</P> Sat, 13 Jun 2020 21:33:18 GMT https://community.cisco.com/t5/network-access-control/redirection-based-posture/m-p/4102776#M561191 Anurag Sharma 2020-06-13T21:33:18Z https://community.cisco.com/t5/network-access-control/redirection-based-posture/m-p/4102784#M561192 <P>OK. Seems to be correct on both ends.</P><P>&nbsp;</P><P>Are these two lines mandatory for the switch?</P><P>&nbsp;</P><P>ip http active-session-modules none<BR />ip http secure-active-session-modules none</P> Sat, 13 Jun 2020 22:20:09 GMT https://community.cisco.com/t5/network-access-control/redirection-based-posture/m-p/4102784#M561192 ISEduo 2020-06-13T22:20:09Z