This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
We have an ISE 2.3 and catalyst 9300. We are deploying posture in wired network.
Have some vlans behind a FW and others without FW but the redirection portal is not working. If I get the authentication session detail I could see the redirection URL but didn't appear even opennig the browser. The only way to works this portal is with a rule in firewall from the endpoint to any with high ports an viceversa.
In documentation We could find information about some ports like 8443, 8905 and 8909, no more.
When you are in the situation where the redirect isn't working automatically, try opening a browser and go to the ISE PSN URL https://ise-psn.company.com:8443. Does that show anything at all or a timeout? If it times out, then your firewall policy is blocking the traffic. Firewall needs to allow traffic from the endpoints to the ISE PSN's on TCP 8443 and 8905 at a minimum. For testing, just allow traffic from the endpoints to the PSN's on any protocol and port.
If you can get to the PSN interface when you manually attempt with the browser, then the problem is likely with your redirect ACL. At a high level, the redirect ACL needs to deny traffic to DNS and the ISE PSN's. Then it should allow everything else, especially TCP 80 and 443. With a redirect ACL, a "deny" statement means you are denying redirection. A "permit" means to redirect this particular traffic. Seems backwards from a normal security ACL and does confuse most people at first. Check those things and let us know.
Thanks for your reply. We have already allowed the communication between endpoints and PSN using these ports even opening the browser do not work. We have to type all the URL from the switch and get the option to download the agent. We will install the agent using SCCM but my concern is that sometimes in the agent we receive the warning "no policy server detected". But all works when I open in the high ports in firewall.
If you are expecting the redirect to work and get the posture module to the correct PSN being behind a FW is a challenge. If the switch the user is connected to does not have an IP address in the same VLAN as the user the switch uses its routing table to issue the SYN ACK for the redirection and the FW would usually drop it do to asymmetric routing. By adding the high ports in you are probably making it work although I am not sure why your FW would be allowing asymmetric traffic.
As a test try putting a VLAN interface on the switch in the same VLAN as the client with an IP in that VLAN. Put a deny ip any any ACL on that interface. I bet you will see it work just fine without the FW rule.
You don't need to use redirection. You can use the call home list to give the posture module the list of PSN FQDNs to talk to.