Hello,

Im trying to configure Posture Remediation, however I'm not getting the redirect URL when the user is not compliant. Instead I get a "Windows Cannot Connect you to the network" after I authenticate if I have the supplicant enabled on my Windows Test Machine.

I also see the follwing events on the debug radius

Jun 24 20:35:43.762: %EPM-6-AAA: POLICY xACSACLx-IP-POSTURE_REMEDIATION-4fe0538d| EVENT DOWNLOAD-FAIL

Jun 24 20:35:43.762: %EPM-4-POLICY_APP_FAILURE: IP 0.0.0.0| MAC c80a.a96e.367c| AuditSessionID AC101065000000CA9F843C74| AUTHTYPE DOT1X| POLICY_TYPE dACL| POLICY_NAME xACSACLx-IP-POSTURE_REMEDIATION-4fe0538d| RESULT FAILURE| REASON AAA download failure

If I have the supplicant disabled I dont get any error messages on the PC (and I can browse just just which I think I shouldnt be able to) but I get similar debugs on the switch.

Relevant Switch Config:

RFNET-R1-P-SW1#sh run int gi 1/0/36

Building configuration...

Current configuration : 456 bytes

!

interface GigabitEthernet1/0/36

switchport access vlan 214

switchport mode access

switchport nonegotiate

switchport voice vlan 221

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

storm-control broadcast level 30.00

storm-control multicast level 30.00

storm-control action trap

spanning-tree portfast

end

RFNET-R1-P-SW1#sh run | inc aaa

aaa new-model

aaa authentication login default local

aaa authentication dot1x default group radius

aaa authorization exec AUTH_LIST local

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa server radius dynamic-author

aaa session-id common

RFNET-R1-P-SW1#sh run | inc radisus

RFNET-R1-P-SW1#sh run | inc radius

RFNET-R1-P-SW1#sh run | inc radius

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa server radius dynamic-author

ip radius source-interface Vlan216

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server host 172.16.10.50 auth-port 1812 acct-port 1813

radius-server key 7 02050D4808095E731F

radius-server vsa send accounting

radius-server vsa send authentication

Extended IP access list ACL-POSTURE-REDIRECT

    5 deny udp any any eq domain

    10 deny udp any host 172.16.10.50 eq 8905

    20 deny udp any host 172.16.10.50 eq 8906

    30 deny tcp any host 172.16.10.50 eq 8443

    40 deny tcp any host 172.16.10.50 eq 8905

    50 deny tcp any host 74.217.77.52

    60 permit ip any any (2 matches)

If somebody could take a look at the debugs and give me some hints about what's going I would appreciate it.

I have attached both debugs.

Thanks.