Solved: Client Provision redirection not working automatically

Danny Dulin · ‎04-15-2025

Hello everyone!

When I connect to my VPN headend (FTD 7.2.9) I make it through authentication and authorization. ISE recognizes my host as "Posture Unknown", but the redirection to the Client Provisioning Portal does not pop-up automatically. If I open a browser and navigate to an http site, redirects works.

I know that DNS is working properly on ISE and FTD.

Packet capture shows host never attempts to access an http site over my VPN tunnel, which I suppose is the reason the automatic redirect doesn't work.

I have added an IP of a host after my default gateway.

The redirection ACL denies DNS, DHCP and ISE from redirection and permits all else.

Any help will be greatly appreciated.

ahollifield · ‎04-16-2025

And what are the contents of that dACL?

How does the behavior change if the client pre-installs the ISE Posture module?

Yeah I get that but an FMC running newer software can still manage 7.2 firewalls. This would then allow you to upgrade your newer firewalls to later versions to get many new features.

There are much better ways to solve this imo than using ISE Posture. Why not use Certificate + SAML auth for that? Or even DAP?

View solution in original post

ahollifield · ‎04-16-2025

Why 7.2 and not 7.4 or 7.6?

Can you post a screenshot of your re-direct ACL? Does the name of that ACL match exactly with what's on the ISE authz policy? Does the client already have the ISE Posture module?

What is the use-case? Why not handle posture through a SAML flow instead? Or use an MDM?

Danny Dulin · ‎04-16-2025

Thank you for your response.

Re: 7.2 - One of the FTDs we manage (4110) can't go beyond 7.2. So for consistency's sake, we stay at the same version for all the other FTDs including the VPN headend.

See attached for Re-direct ACL and Name matching of Re-Direct ACL. Yes, names match exactly.
In this testing scenario, client does not have the posture module loaded.

Use case - to insure no employee loads VPN client on their personal computer and then connects to our network. It is more about network access than managing compliance. We do have a tool to manage compliance, but we want to ensure network access is not permitted if a host is not compliant.

ahollifield · ‎04-16-2025

And what are the contents of that dACL?

How does the behavior change if the client pre-installs the ISE Posture module?

Yeah I get that but an FMC running newer software can still manage 7.2 firewalls. This would then allow you to upgrade your newer firewalls to later versions to get many new features.

There are much better ways to solve this imo than using ISE Posture. Why not use Certificate + SAML auth for that? Or even DAP?

Danny Dulin · ‎04-17-2025

dACL
permit udp any any eq domain
permit ip any host ISE Node
permit tcp any any eq www
permit tcp any any eq 443

If we pre-install the ISE Posture module, we don't need to worry about the redirect. At this point, the posture module can access ISE and determine compliance.

I hear ya with FW upgrades. Something to consider.

Our organization doesn't manage SAML auth system. Cert requires a PKI which is something we're trying to avoid since we're only trying to keep out devices that aren't joined to domain.

Danny Dulin · ‎04-22-2025

Thank you for the DAP tip. It opens a whole new world. To include not paying for a posturing license on ISE.