06-28-2019 08:01 AM
Hello,
In our environment we are using meraki switches and as they do not support DACLs or ACLs for Posture redirection, we used call home list in the anyconnect configuration profile to let the endpoint reach the PSN. During redirection or before redirection, does the endpoint have access to all the resources in the network based on the VLAN configured on the connected switchport.
Thanks,
Aravind
Solved! Go to Solution.
06-29-2019 10:56 PM
https://community.meraki.com/t5/Switching/ISE-Posture-ACL/td-p/32853
That gives Change of Authorization with RADIUS (CoA) on MS Switches, which mentions,
Use Case URL Redirect Walled Garden (Supported on MS210/225/250/350/410/420/425)
By default, URL redirect is enabled with CoA. This can be used to redirect clients to a webpage for authentication. Before authentication, the client will have access to all HTTP resources. The walled garden can be used to limit access to the web server only. This feature will only be enabled if one or more supported switches are in the network. Configurations on this feature will be ignored by unsupported switches.
06-28-2019 08:55 AM
Meraki MS supports named ACL posture redirect. Suggest avoiding VLAN change pre/post posture if possible:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/compatibility/b_ise_sdt_26.html
06-28-2019 09:10 AM
Hi Howon,
Thank you for your response. There is no place in Meraki platform to define a named ACL specifically for posture redirection for wired switches. We are able to apply redirection only for wireless using group policies. I have already reached out to Meraki regarding this. Please do let me know if something is changed.
https://community.meraki.com/t5/Switching/ISE-Posture-ACL/td-p/32853
If We are using call home list in ISE, Is that going to restrict access to all other resources except PSN nodes?
Thanks,
Aravind
06-29-2019 10:56 PM
https://community.meraki.com/t5/Switching/ISE-Posture-ACL/td-p/32853
That gives Change of Authorization with RADIUS (CoA) on MS Switches, which mentions,
Use Case URL Redirect Walled Garden (Supported on MS210/225/250/350/410/420/425)
By default, URL redirect is enabled with CoA. This can be used to redirect clients to a webpage for authentication. Before authentication, the client will have access to all HTTP resources. The walled garden can be used to limit access to the web server only. This feature will only be enabled if one or more supported switches are in the network. Configurations on this feature will be ignored by unsupported switches.
06-28-2019 10:26 AM
06-28-2019 02:18 PM
Hi Jason,
06-28-2019 06:43 PM
07-02-2019 08:21 AM
Redirection for wireless guest is possible with meraki as ISE uses airespace ACL to apply the group policy for guest redirection. But in the case of wired switches in the documentation provided or in the reference links, there are no pointers or ways to create Named ACL for Wired Posture redirection. Please help.
Thanks,
Aravind.
07-02-2019 09:08 AM
Check my earlier response to this thread.
Please test it out yourself as the Meraki gears in our lab are not currently working.
07-02-2019 09:26 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: