Re: Complaince module download issue

mustansirt · ‎04-08-2021

ISE servers and network switches are not different segment.

for user pc to download compliance module via a redirect ACL.

Do we need to open port 80 between cisco switch and ISE for user to download compiance module

when i place cisco switch and ise server on same vlan the user pc can download compliance module but when they are on different segment user pc cannot.

which ports are mandatory between cisco switch and ise server

Mike.Cifelli · ‎04-08-2021

Please see the following (specifically posture/provisioning section): Cisco Identity Services Engine Installation Guide, Release 2.7 - Cisco ISE Ports Reference [Cisco Identity Services Engine] - Cisco

This will cover all necessary ports required. HTH!

mustansirt · ‎04-08-2021

The Port reference shows between ise and NAD SPAN Port 80/8080..

During redirect,,does switch try to communicate to ise over 80 and in return gets redirected to 8443.

Mike.Cifelli · ‎04-09-2021

During redirect,,does switch try to communicate to ise over 80 and in return gets redirected to 8443.

-Yes. The client 80/443 traffic should get redirected to 8443. When using url redirect you will see the following on a per client session basis if matching the respective authz profile to redirect them. If you issue a #show auth sess int <> detail (view server policy section):

HTH!

mustansirt · ‎04-10-2021

From Client segment we have permitted 80/8443 to ise.

I would like to know does switch to need access on port 80/8443 with ise.

I have read that for redirect to work switch mgmt svi should have the ability to forward packet to client machine.

Is this still relevant.

https://community.cisco.com/t5/network-access-control/ise-posture-redirect-not-happening/td-p/3376059

Mike.Cifelli · ‎04-13-2021

I would like to know does switch to need access on port 80/8443 with ise.

-AFAIK yes, via 8443. See below that will better assist to understand workflows: