https://community.cisco.com/t5/network-access-control/ise-3-1-posture-redirect/m-p/4834341#M581713 <P>Hi,</P> <P>it works?</P> Fri, 12 May 2023 13:10:26 GMT adrian.ciubotariu.lacatusu 2023-05-12T13:10:26Z https://community.cisco.com/t5/network-access-control/ise-3-1-posture-redirect/m-p/4821379#M581367 <P>I'm helping a coworker set up posture assessment on ISE 3.1. Everything is configured but we are having trouble with the client provisioning/posture redirect.&nbsp; Does anyone have an example of a posture redirect ACL on an IOS switch, or can you point me to documentation with this information? I looked at the ISE 3.1 admin guide but didn't see anything specific on this, and I'm not sure if anything has changed since ISE 2.x.&nbsp; Thank you.</P> Tue, 25 Apr 2023 14:38:53 GMT https://community.cisco.com/t5/network-access-control/ise-3-1-posture-redirect/m-p/4821379#M581367 ben.levin1 2023-04-25T14:38:53Z https://community.cisco.com/t5/network-access-control/ise-3-1-posture-redirect/m-p/4821408#M581369 <P>For posture redirection on switch, you need to configure below rules:</P> <UL> <LI>Deny DNS traffic</LI> <LI>Deny DHCP traffic</LI> <LI>Deny traffic to ISE PSN on TCP 8443, 8905, 8909 (assuming you are using default ports on ISE for posture)</LI> <LI>Permit ip any any</LI> </UL> <P>Logic : On the switch, anything that is denied would be allowed and rest would be redirected. We have to allow DHCP, DNS and traffic to ISE, rest everything should be redirected.</P> <P>Also, ensure that https services are running on the switch. ("ip http server" and "ip http secure-server")</P> Tue, 25 Apr 2023 15:20:35 GMT https://community.cisco.com/t5/network-access-control/ise-3-1-posture-redirect/m-p/4821408#M581369 Nancy Saini 2023-04-25T15:20:35Z https://community.cisco.com/t5/network-access-control/ise-3-1-posture-redirect/m-p/4821508#M581373 <P>Thanks! We'll give that a shot.</P> Tue, 25 Apr 2023 17:34:44 GMT https://community.cisco.com/t5/network-access-control/ise-3-1-posture-redirect/m-p/4821508#M581373 ben.levin1 2023-04-25T17:34:44Z https://community.cisco.com/t5/network-access-control/ise-3-1-posture-redirect/m-p/4834341#M581713 <P>Hi,</P> <P>it works?</P> Fri, 12 May 2023 13:10:26 GMT https://community.cisco.com/t5/network-access-control/ise-3-1-posture-redirect/m-p/4834341#M581713 adrian.ciubotariu.lacatusu 2023-05-12T13:10:26Z https://community.cisco.com/t5/network-access-control/ise-3-1-posture-redirect/m-p/4839891#M581886 <P>Also, make sure the IP device tracking is working.</P> <P>Another way to define the ACLs is to use both url-redirect-acl and DACL. The url-redirect-acl is usually an ACL configured on the Cisco IOS switch. When we use it in combination with a DACL, the url-redirect-acl can be much simplified, e.g.,</P> <LI-CODE lang="c">ip access-list extended ISE-URL-REDIRECT 10 deny tcp any host 10.1.129.8 eq www 20 permit tcp any any eq www</LI-CODE> <P>Then, the DACL may have the following content, where 198.18.133.1 is the DNS server, 198.18.133.27 is the ISE server, and 198.18.0.0/16 represents the internal networks.</P> <LI-CODE lang="c">permit udp any host 198.18.133.1 eq domain permit tcp any host 198.18.133.27 eq 8443 permit tcp any host 198.18.133.27 eq 8905 permit tcp any host 198.18.133.27 eq 8084 deny ip any 198.18.0.0 0.0.255.255 permit ip any any</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 21 May 2023 23:36:43 GMT https://community.cisco.com/t5/network-access-control/ise-3-1-posture-redirect/m-p/4839891#M581886 hslai 2023-05-21T23:36:43Z