Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2160
Views
15
Helpful
9
Replies

ISE Posture Call Home List

Go to solution
aravikumar
Level 1
Level 1

‎06-28-2019 08:01 AM

Hello,

 

In our environment we are using meraki switches and as they do not support DACLs or ACLs for Posture redirection, we used call home list in the anyconnect configuration profile to let the endpoint reach the PSN. During redirection or before redirection, does the endpoint have access to all the resources in the network based on the VLAN configured on the connected switchport.

 

Thanks,

 

Aravind

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to aravikumar

‎06-29-2019 10:56 PM

https://community.meraki.com/t5/Switching/ISE-Posture-ACL/td-p/32853

That gives Change of Authorization with RADIUS (CoA) on MS Switches, which mentions,

Use Case URL Redirect Walled Garden (Supported on MS210/225/250/350/410/420/425)
By default, URL redirect is enabled with CoA.  This can be used to redirect clients to a webpage for authentication.  Before authentication, the client will have access to all HTTP resources.  The walled garden can be used to limit access to the web server only.  This feature will only be enabled if one or more supported switches are in the network.  Configurations on this feature will be ignored by unsupported switches.

 

View solution in original post

0 Helpful
9 Replies 9

Go to solution
howon
Cisco Employee
Cisco Employee

‎06-28-2019 08:55 AM

Meraki MS supports named ACL posture redirect. Suggest avoiding VLAN change pre/post posture if possible:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/compatibility/b_ise_sdt_26.html

 

Go to solution
aravikumar
Level 1
Level 1
In response to howon

‎06-28-2019 09:10 AM

Hi Howon,

Thank you for your response. There is no place in Meraki platform to define a named ACL specifically for posture redirection for wired switches. We are able to apply redirection only for wireless using group policies. I have already reached out to Meraki regarding this. Please do let me know if something is changed.

 

https://community.meraki.com/t5/Switching/ISE-Posture-ACL/td-p/32853

 

If We are using call home list in ISE, Is that going to restrict access to all other resources except PSN nodes?

 

Thanks,

 

Aravind

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to aravikumar

‎06-29-2019 10:56 PM

https://community.meraki.com/t5/Switching/ISE-Posture-ACL/td-p/32853

That gives Change of Authorization with RADIUS (CoA) on MS Switches, which mentions,

Use Case URL Redirect Walled Garden (Supported on MS210/225/250/350/410/420/425)
By default, URL redirect is enabled with CoA.  This can be used to redirect clients to a webpage for authentication.  Before authentication, the client will have access to all HTTP resources.  The walled garden can be used to limit access to the web server only.  This feature will only be enabled if one or more supported switches are in the network.  Configurations on this feature will be ignored by unsupported switches.

 

0 Helpful

Go to solution
aravikumar
Level 1
Level 1
In response to Jason Kunst

‎06-28-2019 02:18 PM

Hi Jason,

 

The document  provided does not say about configuring named ACL for redirection in wired switches for posture redirection. It just mentions about "wired CWA".
 
Thanks,
 
Aravind.
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to aravikumar

‎06-28-2019 06:43 PM

Redirect for guest is same for redirect for posture

Go to solution
aravikumar
Level 1
Level 1
In response to Jason Kunst

‎07-02-2019 08:21 AM

Redirection for wireless guest is possible with meraki as ISE uses airespace ACL to apply the group policy for guest redirection. But in the case of wired switches in the documentation provided or in the reference links, there are no pointers or ways to create Named ACL for Wired Posture redirection. Please help.

 

Thanks,

 

Aravind.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to aravikumar

‎07-02-2019 09:08 AM

Check my earlier response to this thread.

Please test it out yourself as the Meraki gears in our lab are not currently working.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to aravikumar

‎07-02-2019 09:26 AM

Please reach out to meraki
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents