https://community.cisco.com/t5/network-access-control/ise-reauthentication-after-antivirus-check/m-p/4553339#M572815 <P>No, also this one must be created automatically when authentication started</P> Wed, 16 Feb 2022 08:19:07 GMT Rovshan91 2022-02-16T08:19:07Z https://community.cisco.com/t5/network-access-control/ise-reauthentication-after-antivirus-check/m-p/4551686#M572765 <P>Hello everybody. A have interesting problem. I have a rule on my cisco ise , that sends you&nbsp; to the portal and checks is there anyconnect and antivirus on your pc, after it&nbsp; gives you your vlan.</P><P>&nbsp;</P><P>&nbsp;I have same config on 2 difference switches&nbsp;</P><P>&nbsp;</P><P>&nbsp;C9200-48T&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;16.12.3a&nbsp; &nbsp; &nbsp;&nbsp;CAT9K_LITE_IOSXE</P><P>&nbsp;WS-C2960L-48TS-LL&nbsp; 15.2(7)E3&nbsp; &nbsp;C2960L-UNIVERSALK9-M</P><P>&nbsp;</P><P>and it unfortunately works in second one ( 2960 lite) but didn`t work on C9200</P><P>&nbsp;</P><P>The only thing that i found strange that c9200 didn`t automatically&nbsp; create acl (Auth-Default-ACL-OPEN)&nbsp; but he must to do it so reauth works. (also 2960l do this thing)</P><P>&nbsp;</P><P>Extended IP access list Auth-Default-ACL-OPEN<BR />10 permit ip any any</P><P>&nbsp;</P><P>&nbsp;</P><P>Config example</P><P>&nbsp;</P><P>ip access-list extended CISCO-CWA-URL-REDIRECT-ACL</P><P>10 deny udp any any eq domain<BR />20 deny tcp any any eq domain<BR />30 deny udp any eq bootps any<BR />40 deny udp any any eq bootpc<BR />50 deny udp any eq bootpc any<BR />60 deny tcp any any eq 8443<BR />70 deny udp any any eq 8443<BR />80 permit tcp any any eq domain<BR />90 permit tcp any any eq www<BR />authentication command bounce-port ignore<BR />authentication command disable-port ignore</P><P>&nbsp;</P><P>aaa server radius dynamic-author<BR />client *.*.*.*</P><P>server-key xxxxxxxxxxx<BR />auth-type all<BR />ignore session-key<BR />ignore server-key</P><P>&nbsp;</P><P>The ony thing that i found&nbsp;</P><P>&nbsp;</P> Mon, 14 Feb 2022 07:12:23 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication-after-antivirus-check/m-p/4551686#M572765 Rovshan91 2022-02-14T07:12:23Z https://community.cisco.com/t5/network-access-control/ise-reauthentication-after-antivirus-check/m-p/4552088#M572776 <P>I don't believe you would need that ACL to get this to work, I think in this case the CoA would be the key factory to trigger the reauthentication. Probably the 9200 switch is not configured correctly for the CoA? or maybe has some wrong CoA configs on ISE?</P> Mon, 14 Feb 2022 17:48:57 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication-after-antivirus-check/m-p/4552088#M572776 Aref Alsouqi 2022-02-14T17:48:57Z https://community.cisco.com/t5/network-access-control/ise-reauthentication-after-antivirus-check/m-p/4552452#M572781 <P>Without this acl 90% of&nbsp; traffic is blocked + same config works on&nbsp;&nbsp;WS-C2960L-48TS-LL, only difference is this acl&nbsp;</P> Tue, 15 Feb 2022 05:39:54 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication-after-antivirus-check/m-p/4552452#M572781 Rovshan91 2022-02-15T05:39:54Z https://community.cisco.com/t5/network-access-control/ise-reauthentication-after-antivirus-check/m-p/4552574#M572783 <P>Are there any other ACLs applied to the switch ports by default?</P> Tue, 15 Feb 2022 09:44:54 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication-after-antivirus-check/m-p/4552574#M572783 Aref Alsouqi 2022-02-15T09:44:54Z https://community.cisco.com/t5/network-access-control/ise-reauthentication-after-antivirus-check/m-p/4553339#M572815 <P>No, also this one must be created automatically when authentication started</P> Wed, 16 Feb 2022 08:19:07 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication-after-antivirus-check/m-p/4553339#M572815 Rovshan91 2022-02-16T08:19:07Z