Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2036
Views
1
Helpful
4
Replies

ISE 3.1 posture redirect

Go to solution
ben.levin1
Level 1
Level 1

‎04-25-2023 07:38 AM

I'm helping a coworker set up posture assessment on ISE 3.1. Everything is configured but we are having trouble with the client provisioning/posture redirect.  Does anyone have an example of a posture redirect ACL on an IOS switch, or can you point me to documentation with this information? I looked at the ISE 3.1 admin guide but didn't see anything specific on this, and I'm not sure if anything has changed since ISE 2.x.  Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nancy Saini
Cisco Employee
Cisco Employee

‎04-25-2023 08:20 AM - edited ‎04-25-2023 08:20 AM

For posture redirection on switch, you need to configure below rules:

  • Deny DNS traffic
  • Deny DHCP traffic
  • Deny traffic to ISE PSN on TCP 8443, 8905, 8909 (assuming you are using default ports on ISE for posture)
  • Permit ip any any

Logic : On the switch, anything that is denied would be allowed and rest would be redirected. We have to allow DHCP, DNS and traffic to ISE, rest everything should be redirected.

Also, ensure that https services are running on the switch. ("ip http server" and "ip http secure-server")

View solution in original post

4 Replies 4

Go to solution
Nancy Saini
Cisco Employee
Cisco Employee

‎04-25-2023 08:20 AM - edited ‎04-25-2023 08:20 AM

For posture redirection on switch, you need to configure below rules:

  • Deny DNS traffic
  • Deny DHCP traffic
  • Deny traffic to ISE PSN on TCP 8443, 8905, 8909 (assuming you are using default ports on ISE for posture)
  • Permit ip any any

Logic : On the switch, anything that is denied would be allowed and rest would be redirected. We have to allow DHCP, DNS and traffic to ISE, rest everything should be redirected.

Also, ensure that https services are running on the switch. ("ip http server" and "ip http secure-server")

Go to solution
ben.levin1
Level 1
Level 1
In response to Nancy Saini

‎04-25-2023 10:34 AM

Thanks! We'll give that a shot.

0 Helpful

Go to solution
adrian.ciubotariu.lacatusu
Level 1
Level 1
In response to ben.levin1

‎05-12-2023 06:10 AM

Hi,

it works?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-21-2023 04:36 PM

Also, make sure the IP device tracking is working.

Another way to define the ACLs is to use both url-redirect-acl and DACL. The url-redirect-acl is usually an ACL configured on the Cisco IOS switch. When we use it in combination with a DACL, the url-redirect-acl can be much simplified, e.g.,

ip access-list extended ISE-URL-REDIRECT
 10 deny   tcp any host 10.1.129.8 eq www
 20 permit tcp any any eq www

Then, the DACL may have the following content, where 198.18.133.1 is the DNS server, 198.18.133.27 is the ISE server, and 198.18.0.0/16 represents the internal networks.

permit udp any host 198.18.133.1 eq domain
permit tcp any host 198.18.133.27 eq 8443
permit tcp any host 198.18.133.27 eq 8905
permit tcp any host 198.18.133.27 eq 8084
deny   ip any 198.18.0.0 0.0.255.255
permit ip any any

 

 

 

0 Helpful
Customers Also Viewed These Support Documents