Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


CWA Client Provisioning Redirect not being triggered - Cisco ISE 3.0 AnyConnect Posture

Dear community, 


I am working on deploying AnyConnect Agent Posture with Cisco ISE 3.0. The configurations I have done so far are as following: 

1. ISE

  - Client Provisioning Resources, Portal and Policy. Usecase: AnyConnect Download when User Open a Browser, so that it redirects to Client Provisioning portal for AnyConnect Downoad. 

  - AUTHZ configured for POSTURE, with a ACL_REDIRECT(same as in the switch). Meanwhile prior to that, DACL is configured in the same AUTHZ for access limitation prior to applying the ACL_REDIRECT on the switch port. 

  - Policy set for Posture Unknown, Compliant and NotCompliant Posture. 


2. Switch is configured with the http and https secure commands, and the ACL_REDIRECT which redirects traffic of http and https. Also device tracking is enabled on the switch, this because I read that its required for CWA redirects. 


3. Supplicant is able to successfully Authenticate via EAP-TLS 

When I log in to the supplicant, The Posture Process gets triggers and the live logs show Pending Status. and the DACL downloaded. In live logs details of that event I also see the redirect URL.  I open a Browser, but the redirect to the portal does not happen. The Flow gets stuck to the Pending Status and it fails to MAB after that. 


So my question at this point is, why is not the redirect not being triggered? 


The really wired issue that I have noted in switch is that even though the DACL is being successfully downloaded. when I run the "show authentication session int fx/x" it only tells details such as ip address of the supplicant, AuthC and AuthZ status, but does not show the Server Policy details such as DACL or the Redirect URL. The switch is Catalyst 2960 series. Do you guys know why these details are not showing on the Switch Console when I run that command, but in live log details of that event attributes it shows the redirect url and dacl. Also in this case, the redirect still not happening!


Do you guys have and idea how to further troubleshoot this problem? Any thoughts or suggestions would be highly appreciated. 


TAC case is opened however, due to urgency, I am trying to find a solution ASAP. Will let you know if any updates come from TAC.


Looking forward to hearing from you.

Thank you,



Hi all, 


Turns out that the switch version did not support the URL Redirect. It must be 15.0 or higher. 


Hope it helps someone. 




Content for Community-Ad