https://community.cisco.com/t5/wireless/ise-2-0-blackhole-blacklist-wireless-access-redirect-not-working/m-p/2882857#M11936 <P>Hi there,</P> <P>On&nbsp;ISE 2.0 I have wireless authentication policy which assigns devices in Blacklist identity group this&nbsp;authorization profile:</P> <P>Access Type = ACCESS_ACCEPT<BR />cisco-av-pair = url-redirect-acl=BLACKHOLE<BR />cisco-av-pair = url-redirect=<A href="https://ip:port/blacklistportal/gateway?portal=9a9d1710-1400-11e5-bea4-005056bf01c9" target="_blank">https://ip:port/blacklistportal/gateway?portal=9a9d1710-1400-11e5-bea4-005056bf01c9</A></P> <P>There is&nbsp;<SPAN>BLACKHOLE ACL on the WLC allowing access to DNS and ISE only.&nbsp;</SPAN></P> <P>Now, the client in Blacklist group hits the rule (I can see it in Radius Livelog) but is not redirected and continues having access to the whole network.</P> <P>If I troubleshoot the endpoint,&nbsp;I can see it resolves correctly the i<SPAN>p:port in the redirect URL (x.x.x.x:8444) and creates&nbsp;Airespace-ACL-Name =&nbsp;BLACKHOLE but somehow doesn't apply them. The URL <A href="https://x.x.x.x:8444/blacklistportal/gateway?portal=9a9d1710-1400-11e5-bea4-005056bf01c9" target="_blank">https://x.x.x.x:8444/blacklistportal/gateway?portal=9a9d1710-1400-11e5-bea4-005056bf01c9</A> is set up on the ISE as Blacklist portal and is fine. </SPAN></P> <P><SPAN>What is going on?</SPAN></P> <P><SPAN>I have a similar redirect for Guest access and it works OK.</SPAN></P> <P><SPAN>Many thanks</SPAN></P> <P><SPAN>Pavel</SPAN></P> Mon, 05 Jul 2021 12:11:13 GMT pjiracek 2021-07-05T12:11:13Z https://community.cisco.com/t5/wireless/ise-2-0-blackhole-blacklist-wireless-access-redirect-not-working/m-p/2882857#M11936 <P>Hi there,</P> <P>On&nbsp;ISE 2.0 I have wireless authentication policy which assigns devices in Blacklist identity group this&nbsp;authorization profile:</P> <P>Access Type = ACCESS_ACCEPT<BR />cisco-av-pair = url-redirect-acl=BLACKHOLE<BR />cisco-av-pair = url-redirect=<A href="https://ip:port/blacklistportal/gateway?portal=9a9d1710-1400-11e5-bea4-005056bf01c9" target="_blank">https://ip:port/blacklistportal/gateway?portal=9a9d1710-1400-11e5-bea4-005056bf01c9</A></P> <P>There is&nbsp;<SPAN>BLACKHOLE ACL on the WLC allowing access to DNS and ISE only.&nbsp;</SPAN></P> <P>Now, the client in Blacklist group hits the rule (I can see it in Radius Livelog) but is not redirected and continues having access to the whole network.</P> <P>If I troubleshoot the endpoint,&nbsp;I can see it resolves correctly the i<SPAN>p:port in the redirect URL (x.x.x.x:8444) and creates&nbsp;Airespace-ACL-Name =&nbsp;BLACKHOLE but somehow doesn't apply them. The URL <A href="https://x.x.x.x:8444/blacklistportal/gateway?portal=9a9d1710-1400-11e5-bea4-005056bf01c9" target="_blank">https://x.x.x.x:8444/blacklistportal/gateway?portal=9a9d1710-1400-11e5-bea4-005056bf01c9</A> is set up on the ISE as Blacklist portal and is fine. </SPAN></P> <P><SPAN>What is going on?</SPAN></P> <P><SPAN>I have a similar redirect for Guest access and it works OK.</SPAN></P> <P><SPAN>Many thanks</SPAN></P> <P><SPAN>Pavel</SPAN></P> Mon, 05 Jul 2021 12:11:13 GMT https://community.cisco.com/t5/wireless/ise-2-0-blackhole-blacklist-wireless-access-redirect-not-working/m-p/2882857#M11936 pjiracek 2021-07-05T12:11:13Z https://community.cisco.com/t5/wireless/ise-2-0-blackhole-blacklist-wireless-access-redirect-not-working/m-p/2882858#M11937 <P>I got this working without using an Airespace ACL. &nbsp;Mine looks like this:</P> <P></P> <P>Access Type = ACCESS_ACCEPT<BR />cisco-av-pair = url-redirect=https://10.40.2.111:port/blacklistportal/gateway?portal=0eed9e80-6d90-11e5-978e-005056bf2f0a<BR />cisco-av-pair = url-redirect-acl=BLACKHOLE</P> Mon, 30 Jan 2017 22:57:30 GMT https://community.cisco.com/t5/wireless/ise-2-0-blackhole-blacklist-wireless-access-redirect-not-working/m-p/2882858#M11937 sjarchung 2017-01-30T22:57:30Z