cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3307
Views
1
Helpful
4
Replies

ISE 3.1 posture redirect

ben.levin1
Level 1
Level 1

I'm helping a coworker set up posture assessment on ISE 3.1. Everything is configured but we are having trouble with the client provisioning/posture redirect.  Does anyone have an example of a posture redirect ACL on an IOS switch, or can you point me to documentation with this information? I looked at the ISE 3.1 admin guide but didn't see anything specific on this, and I'm not sure if anything has changed since ISE 2.x.  Thank you.

1 Accepted Solution

Accepted Solutions

Nancy Saini
Cisco Employee
Cisco Employee

For posture redirection on switch, you need to configure below rules:

  • Deny DNS traffic
  • Deny DHCP traffic
  • Deny traffic to ISE PSN on TCP 8443, 8905, 8909 (assuming you are using default ports on ISE for posture)
  • Permit ip any any

Logic : On the switch, anything that is denied would be allowed and rest would be redirected. We have to allow DHCP, DNS and traffic to ISE, rest everything should be redirected.

Also, ensure that https services are running on the switch. ("ip http server" and "ip http secure-server")

View solution in original post

4 Replies 4

Nancy Saini
Cisco Employee
Cisco Employee

For posture redirection on switch, you need to configure below rules:

  • Deny DNS traffic
  • Deny DHCP traffic
  • Deny traffic to ISE PSN on TCP 8443, 8905, 8909 (assuming you are using default ports on ISE for posture)
  • Permit ip any any

Logic : On the switch, anything that is denied would be allowed and rest would be redirected. We have to allow DHCP, DNS and traffic to ISE, rest everything should be redirected.

Also, ensure that https services are running on the switch. ("ip http server" and "ip http secure-server")

Thanks! We'll give that a shot.

Hi,

it works?

hslai
Cisco Employee
Cisco Employee

Also, make sure the IP device tracking is working.

Another way to define the ACLs is to use both url-redirect-acl and DACL. The url-redirect-acl is usually an ACL configured on the Cisco IOS switch. When we use it in combination with a DACL, the url-redirect-acl can be much simplified, e.g.,

ip access-list extended ISE-URL-REDIRECT
 10 deny   tcp any host 10.1.129.8 eq www
 20 permit tcp any any eq www

Then, the DACL may have the following content, where 198.18.133.1 is the DNS server, 198.18.133.27 is the ISE server, and 198.18.0.0/16 represents the internal networks.

permit udp any host 198.18.133.1 eq domain
permit tcp any host 198.18.133.27 eq 8443
permit tcp any host 198.18.133.27 eq 8905
permit tcp any host 198.18.133.27 eq 8084
deny   ip any 198.18.0.0 0.0.255.255
permit ip any any