There is a client provisioning policy defined for all version of this OS this machine is running.

I see that this client is reported as Microsoft-Workstation, so that is normal, right? If I wanted to check what OS this client is running, where I can I check that?

Also, I will run the DART and see what I get from it output.

Do you get redirected with the browser? I would confirm redirect to the client provisioning portal first before any further troubleshooting. This can happen in two ways if you are leveraging HP switch capability. Either you can send down URL-Redirect string via RADIUS (Most of Cisco devices supports this) or you have to statically define the URL string on the HP switch web auth portal settings (Most of 3rd party devices falls in to this category).

Your ACL is way to big unless you are planning to actually use the client provisioning portal to install the AnyConnect software (I wouldn't recommend it).

The only thing you need to redirect is port 80 to enroll.cisco.com (72.163.1.80) or port 80 to the default gateway.  On Cisco devices I use the 10.0.0.1 0.255.255.0 masking to get the default gateway, but enroll.cisco.com works.  As Howan suggested you can validate redirection is working by pulling up a web browser and going to http://enroll.cisco.com.

I have observed this behavior, when I type in any of the website or even IP address like 1.1.1.1

There is nothing on the browser, the browser will just sit there...

But, if enter the IP address or the URL to ISE server, I am presented with the redirection page!

Is this something with the switch? Is the switch not able to intercept any of the DNS requests that I am sending from the browser?

The reason ACL is so big, is because that is the we will be using in the production when we go live.

We are not planning on using the redirection for client provisioning, but would like to keep this function in those cases if an endpoint does not have a client or posture module, then should be able to download and connect to the corporate network.

I did some more testing with the user and his test endpoint and here are the observations:

1. When the user connects, the ACL and redirection URL are pushed to switch from ISE

2.  Now user opens a browser and enters times.com. nothing happens, enters, 1.1.1.1 nothing happens

3. So, I manually copy and paste the above URL in the browser nothing happens

4. I replace the DNS name of the ISE server with IP address, voila! I am presented with the redirection page!

Now the question is that, is the switch not able to intercept the requests that are being sent from the browser to the outer world?

I am not sure if that is an issue over that site, since from my site I am able to resolve to that ISE address.

I will test it from his site, using another computer that is not connected to a dot1x port.

It seems that it was not a DNS issue after-all, and something different. Here are some of my observations regarding the issue:

White testing I observed something really peculiar, ISE we define the attribute to carry the redirection URL in the network device profile, here:

When I use attribute, H3C-Web-URL, I see that the URL does get pushed to the switch in the authorization URL part, but then endpoints is just not able to communicate with DNS at all.

But, if I enter the URL directly in the browser, its take me to login page from Cisco without any issues. The other side effect of this is the posture scan stops, working as AnyConnect client is unable to find ISE server.

But, I remove the attribute H3C-Web-URL and use, HPE-Captive-Portal-URL instead, there is no URL pushed for redirection. But, posture works just fine.

I am not sure about this behavior, if its from ISE, the NAD profile or if the switch stops processing any DNS requests when it sees the URL pushed.

While testing, we tweaked the posture redirect ACL: 

rule 0 permit udp destination-port eq bootps
rule 5 permit udp destination-port eq bootpc
rule 10 permit udp destination-port eq dns
rule 15 permit ip destination 10.24.213.108 0

Post this change I was able to get to the redirection page fine.

But, then I hit another, the user goes through the detecting AnyConnect and then get to a page where it asks, to download the AnyConnect posture module.

Clicking the download, like I just get a blank page instead of downloading the agent.

I am starting a new thread to work on it.

Yes, I do agree with you! But, the client here is not ready for that approach, there is need to for the cases where, users do not have it installed or if the user is working from remote location where they are not able to contact any of our admins.

So, that is why we are trying to get this working on HP switch as well, as there are few of the sites where we have like hundreds of HP switches.