ISE Wired posture problem in redirect

Claudio L. de Matos Jr — Mon, 31 May 2021 23:24:14 GMT

Hi guys,

I'm doing a lab ISE/Posture to homologation for our customer, I'm having trouble redirecting the posture provisioning portal, when I manually install the anyconnect posture module and add the .xml file in the "ISE Posture" folder, it worked.

Could you help me please???

- ISE Version 2.4/Patch 14

- Anyconnect/NAM/Posture Version 4.9.04053

- Switch C3650 Version 16.12.1

show run

SW_C3650#show run
Building configuration...

Current configuration : 13034 bytes
!
! Last configuration change at 21:19:41 UTC Mon May 31 2021 by admin
!
version 16.12
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform punt-keepalive disable-kernel-core
!
hostname SW_C3650
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 9 $9$uYD0YKDDx80j5E$.Q1sxBhvnx63k53r.wy9dU8i8ZPTllB9C9n3Q02/PWY
!
aaa new-model
!
!
aaa group server radius GP_RADIUS
server name ISE
!
aaa authentication dot1x default group GP_RADIUS
aaa authorization network default group GP_RADIUS
aaa authorization auth-proxy default group GP_RADIUS
aaa accounting update newinfo periodic 1440
aaa accounting network default start-stop group GP_RADIUS
aaa accounting system default start-stop group GP_RADIUS
!
!
!
!
!
aaa server radius dynamic-author
client 172.16.0.12 server-key cisco123
!
aaa session-id common
switch 1 provision ws-c3650-24ps
!
!
!
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
ip routing
!
!
!
!
!
ip domain name lab.local
ip dhcp excluded-address 172.16.0.1 172.16.0.100
ip dhcp excluded-address 172.16.1.1 172.16.1.100
!
ip dhcp pool VLAN11
network 172.16.0.0 255.255.255.0
default-router 172.16.0.158
dns-server 172.16.0.10
domain-name abc.local
!
ip dhcp pool VLAN12
network 172.16.1.0 255.255.255.0
default-router 172.16.1.158
dns-server 172.16.0.10
domain-name abc.local
!
!
!
login on-success log
!
!
!
!
!
!
device-sensor filter-list dhcp list DSENSOR_DHCP
option name domain-name-servers
option name host-name
option name domain-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
!
device-sensor filter-list lldp list DSENSOR_LLDP
tlv name system-name
tlv name system-description
tlv name system-capabilities
tlv name management-address
!
device-sensor filter-list cdp list DSENSOR_CDP
tlv name device-name
tlv name address-type
tlv name port-id-type
tlv name capabilities-type
tlv name version-type
tlv name platform-type
tlv name duplex-type
tlv number 34
device-sensor filter-spec dhcp include list DSENSOR_DHCP
device-sensor filter-spec lldp include list DSENSOR_LLDP
device-sensor filter-spec cdp include list DSENSOR_CDP
device-sensor accounting
device-sensor notify all-changes
!
!
epm logging
authentication mac-move permit
no device-tracking logging theft
device-tracking policy TRACKING
prefix-glean
no protocol ndp
no protocol dhcp6
no protocol udp
tracking enable
!
!
dot1x system-auth-control
dot1x critical eapol
license boot level ipservicesk9
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
memory free low-watermark processor 79475
!
username admin privilege 15 secret 9 $9$6OQYWT7M/bNVhU$8doFFwVZ.fnC01bMAd7BXUjp9vaNWPgEVu63yEh2bkk
!
redundancy
mode sso
!
!
!
!
!
transceiver type all
monitoring
lldp run
!
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
description EWLC control, EWLC data, Inter FED
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
!
policy-map system-cpp-policy
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 172.16.14.159 255.255.255.0
negotiation auto
!
interface GigabitEthernet1/0/1
switchport access vlan 2
switchport mode access
device-tracking attach-policy TRACKING
ip access-group PRE_AUTHE in
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan11
ip address 172.16.0.158 255.255.255.0
!
interface Vlan12
ip address 172.16.1.158 255.255.255.0
!
interface Vlan14
ip address 172.16.14.158 255.255.255.0
!
interface Vlan15
ip address 172.16.15.2 255.255.255.0
!
interface Vlan99
ip address 192.168.77.158 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
ip route 0.0.0.0 0.0.0.0 172.16.15.1
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 172.16.14.158
!
!
ip access-list extended PRE_AUTHE
10 permit udp any any eq bootps
20 permit udp any any eq bootpc
30 permit udp any any eq domain
40 permit ip any host 172.16.0.12
50 permit ip any host 172.16.0.10
60 deny ip any any
ip access-list extended UNKNOWN
10 deny udp any any eq bootps
20 deny udp any any eq bootpc
30 deny udp any any eq domain
40 deny ip any host 172.16.0.12
50 permit ip any any
!
ip radius source-interface Vlan11
ip access-list standard 1
10 permit any
ip access-list standard 2
10 deny any
!
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 30 tries 15
radius-server retransmit 5
radius-server timeout 7
radius-server deadtime 30
!
radius server ISE
address ipv4 172.16.0.12 auth-port 1645 acct-port 1646
key cisco123
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login authentication LOCAL
line vty 5 15
login authentication LOCAL
!
!
mac address-table notification change

===================================================

SW_C3650#show authentication sessions interface gigabitEthernet 1/0/1 details
Interface: GigabitEthernet1/0/1
IIF-ID: 0x1B57FDDD
MAC Address: 18d6.c71f.196e
IPv6 Address: Unknown
IPv4 Address: 172.16.1.101
User-Name: user01
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: AC10009E0000000DC4812006
Acct Session ID: Unknown
Handle: 0x11000003
Current Policy: POLICY_Gi1/0/1

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecured

Server Policies:
Vlan Group: Vlan: 12
URL Redirect ACL: UNKNOWN
URL Redirect: https://lab-ise001.abc.local:8443/portal/gateway?sessionId=AC10009E0000000DC4812006&portal=40f01bd0-2e02-11e8-ba71-005056872c7f&action=cpp&token=0307268d7ed20b2d3597a92cff9fed0f
ACS ACL: xACSACLx-IP-DACL_UNKNOWN-60b3ca7a

Method status list:
Method State
dot1x Authc Success

SW_C3650#

SW_C3650#show ip access-lists UNKNOWN

Extended IP access list UNKNOWN
10 deny udp any any eq bootps
20 deny udp any any eq bootpc
30 deny udp any any eq domain
40 deny ip any host 172.16.0.12
50 permit ip any any
SW_C3650#

SW_C3650#show ip access-lists xACSACLx-IP-DACL_UNKNOWN-60b3ca7a
Extended IP access list xACSACLx-IP-DACL_UNKNOWN-60b3ca7a
1 permit udp any any eq domain
2 permit udp any any eq bootps
3 permit udp any any eq bootpc
5 permit ip any host 172.16.0.12
7 deny icmp any host 172.16.0.10
8 deny ip any any
SW_C3650#

Re: ISE Wired posture problem in redirect

Greg Gibbs — Mon, 31 May 2021 23:44:28 GMT

There are a number of variables with Posture, so the switch configuration would not be enough information to provide guidance. As a starting point, I would suggest you review the following guides and compare them to your lab setup.

ISE Posture Style Comparison for Pre and Post 2.2

ISE Posture Prescriptive Deployment Guide

There are also some LabMinutes videos that walk through the redirect-based Posture flow in ISE 2.2:

https://www.labminutes.com/video/sec/ISE

topic Re: ISE Wired posture problem in redirect in Network Access Control

ISE Wired posture problem in redirect

Re: ISE Wired posture problem in redirect