09-17-2012 07:36 AM - edited 03-10-2019 07:33 PM
Dears,
Am working on ISE 1.1, and am facing a problem after the posture assessment for a machine, if the machine doesn't have the correct antivirus, the NAC Agent suggest the following link remediation: http://kaspersky.test.com, when the user tries to click on the link, the link is redirecting him to the client provisioning page instead of the right page of the antivirus installer. Even if I try to put the IP address instead of the link http://10.10.10.10 the problem persist.
Any ideas what could be the problem?
Thank you in advance
Regards
zahi
Solved! Go to Solution.
09-18-2012 12:21 PM
Hi,
If this is for a wired interface then you need to check the redirect acl and make sure that the entry is not redirecting remediation traffic.
thanks,
Tarik Admani
*Please rate helpful posts*
09-18-2012 12:21 PM
Hi,
If this is for a wired interface then you need to check the redirect acl and make sure that the entry is not redirecting remediation traffic.
thanks,
Tarik Admani
*Please rate helpful posts*
09-19-2012 11:59 PM
Hi Tarik,
I have done that and it worked fine .
Thank you for your help.
Appreciated
zahi
11-02-2018 01:53 AM
@Tarik Admani wrote:
make sure that the entry is not redirecting remediation traffic.
This is an old thread but I have the same issue (ISE 2.2 and wired remediation).
I didn't quite get the statement above. Would you elaborate more on how to achieve that?
My current situation:
1) dACL in ISE: DACL_AGENT_REDIRECT
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny udp any host <ISE IP> eq 8905
deny tcp any host <ISE IP> eq 8905
deny tcp any host <ISE IP> eq 8909
deny udp any host <ISE IP> eq 8909
deny tcp any host <ISE IP> eq 8443
permit ip any host xx.xx.xx.xx(AV server)
2) ACL in switch: ACL_AGENT_REDIRECT
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit udp any host <ISE IP> eq 8905
permit tcp any host <ISE IP> eq 8905
permit tcp any host <ISE IP> eq 8909
permit udp any host <ISE IP> eq 8909
permit tcp any host <ISE IP> eq 8443
permit ip any host xx.xx.xx.xx(AV server)
When AnyConnect is scanning, it will prompt message of AV check failure and keep redirecting back to posture portal. (when in actuality it suppose to redirect to the AV server)
Is there anything that I'm missing out?
Your kind advise highly appreciated.
11-02-2018 01:56 AM
11-03-2018 12:36 PM
2) ACL in switch: ACL_AGENT_REDIRECT
...
deny ip any host xx.xx.xx.xx(AV server)
When AnyConnect is scanning, it will prompt message of AV check failure and keep redirecting back to posture portal. (when in actuality it suppose to redirect to the AV server)
I would suggest you to double check your remediation, which would link directly to the AV server site. Good to use wireshark to confirm that the endpoint making requests to the AV server but not some other sites.
Once confirmed, then please engage Cisco TAC to troubleshoot why Cisco IOS switch triggering redirects to the AV server, which should have exempted from the web redirect.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide