11-02-2018 03:08 PM
We are deploying 802.1X but are having issues with pasture url redirect. The client (windows) never attempts the redirect. Session for client on switch has correct dacl and url address. We are able to browse to the url from client and get page. Switch has no layer 3 (all clans trunked to core switches), we are using out of band mgmt and this works fine for 802.1X.
i have enabled ip http server for both 80 and 443 on the switch
Every things appears to be configured appropriately
Any suggestions?
Joe
Solved! Go to Solution.
11-06-2018 07:50 AM
11-02-2018 05:29 PM
Please review ISE Posture Style Comparison for Pre and Post 2.2 - Cisco; especially its mention:
I would suggest you to try the ISE 2.2. new feature to perform ISE posture without relying on NAD to trigger redirects.
11-06-2018 06:02 AM - edited 11-06-2018 06:03 AM
I am attempting the method without any redirection. I have updated the Posture portal with a FQDN of cpp.csiweb.com. On the test device I have a host entry for that FQDN pointing to ISE PSN. The portal is set for port 8443, I have allowed that in the DACL and removed the Redirect ACL and Portal Site Reference. This is where I am confused...should the Authorization policy reference the Portal and Posture URL without the redirect? As it is now on the test device I can not browse to https://cpp.csiweb.com:8443, a ping results in the correct address resolution.
Please advise,
Thanks
Joe
11-06-2018 06:11 AM
The results should just be an Accept with any relevant DACL you want for the posture unknown state. You should by calling up http://cpp.csiweb.com in your browser not https://cpp.csiweb.com:8443/.
Refer to this link:
It explains the process in great detail.
11-06-2018 06:28 AM
That is document I am following, the DACL they utilize for no Redirect doesn't allow port 80 traffic, only port 8443. Please see attachment. Our Client port is setup on port 8443. I would expect that with the DACL in the example you would be blocked going to http://cpp.csiweb.com?
Our ISE nodes are behind a firewall, we currently allow 8443 traffic to them for this purpose, if it need to be 80 we can adjust, but I am confused with the DACL used.
Thanks,
Joe
11-06-2018 06:51 AM
11-06-2018 07:03 AM
Thanks for the clarification, I assume that the DACL will have to be modified to allow for port 80 traffic as well as the 8443 traffic?
Thanks,
Joe
11-06-2018 07:50 AM
05-22-2019 04:37 PM
@paul you mentioned the following two options for accessing the CPP portal directly via fqdn: full url path or let ISE redirect to full path, however I am a bit confused.
for example I have mydevices portal configured with a FQDN and my clients can access this portal directly from their browser by going to mydevices.company.com, there is no need to enter full path to portal or have ISE redirect. So why are clients unable to access the CPP with the FQDN?
05-23-2019 07:42 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: