topic Re: ISE posture ACL in Network Access Control

ISE posture ACL

Turki.A.Baqatada — Sun, 27 Jul 2025 18:28:43 GMT

I am configuring wired posture with web redirect and everything looks good even endpoints got the url acl but there is still access to cisco ise which i denied in url acl then i found also taking the default permit acl in the switch so when i denied ip any any fixed the ise access but still no redirect happens and also pc not able to get an ip

So my question do i have to add some lines in the default acl to permit some ports and hosts if so could you please mention that to fix web redirection

Thanks in advance

Re: ISE posture ACL

Rob Ingram — Sun, 27 Jul 2025 18:40:45 GMT

@Turki.A.Baqatada you use Redirection ACL for Client Provisioning , Central Web Authentication , and Posture Discovery and a DACL is used to limit Network Access to only the required resources and is applied only to non redirected Traffic.

https://community.cisco.com/t5/security-knowledge-base/configuring-posture-services-with-the-cisco-identity-services/ta-p/3154278

Re: ISE posture ACL

MHM Cisco World — Sun, 27 Jul 2025 18:42:14 GMT

Redirect ACL need to be

Deny from and to ISE IP

Permit IP any any in end

MHM

Re: ISE posture ACL

Ambuj M — Mon, 28 Jul 2025 02:28:34 GMT

"no redirect happens and also pc not able to get an ip"
you can not expect a redirect without an IP on PC, so fix DHCP issue first, then DNS (essential for redirect to work, unless you are using static IP for redirect URL), follow the ACL in link refereed by Rob

Re: ISE posture ACL

Turki.A.Baqatada — Mon, 28 Jul 2025 06:24:26 GMT

Thanks @Ambuj M yes I know that and i am asking what is the best DACL that will fix issue becuse it is working with default ACL which permit any any and redirect happens i tried to fix it by deny and i got another which no ip assignment

Re: ISE posture ACL

Turki.A.Baqatada — Mon, 28 Jul 2025 06:26:18 GMT

Thanks @Rob Ingram I will try this 👍

Re: ISE posture ACL

Turki.A.Baqatada — Tue, 29 Jul 2025 06:34:08 GMT

Actually I have 2 ACLs needs to be configured

1- ACL configured in the switch that allow access to ISE to authenticate

2- URL ACL which I deny access to ISE and permit 80 443

If thats right what should both ACLs contain lines

Re: ISE posture ACL

MHM Cisco World — Tue, 29 Jul 2025 08:32:01 GMT

Most engineer confuse here

There are indeed two ACL

Pre auth ACL.

Allow traffic to dhcp/dns/https to ISE

Redirect ACL (this not real acl' but it use to inform SW if you see this traffic redirect to ISE)

Deny traffic to ISE

Permit any any https/http

MHM

Re: ISE posture ACL

Rob Ingram — Tue, 29 Jul 2025 10:26:03 GMT

@Turki.A.Baqatada the following screenshot from the Cisco guides, this is a good illustration of the configuration of the redirect ACL and the DACL.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html