Solved: Re: ISE - AV Link remediation redirect problem

ZAHI BOU KHALIL · ‎09-17-2012

Dears,

Am working on ISE 1.1, and am facing a problem after the posture assessment for a machine, if the machine doesn't have the correct antivirus, the NAC Agent suggest the following link remediation: http://kaspersky.test.com, when the user tries to click on the link, the link is redirecting him to the client provisioning page instead of the right page of the antivirus installer. Even if I try to put the IP address instead of the link http://10.10.10.10 the problem persist.

Any ideas what could be the problem?

Thank you in advance

Regards

zahi

Tarik Admani · ‎09-18-2012

Hi,

If this is for a wired interface then you need to check the redirect acl and make sure that the entry is not redirecting remediation traffic.

thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Tarik Admani · ‎09-18-2012

Hi,

If this is for a wired interface then you need to check the redirect acl and make sure that the entry is not redirecting remediation traffic.

thanks,

Tarik Admani
*Please rate helpful posts*

ZAHI BOU KHALIL · ‎09-19-2012

Hi Tarik,

I have done that and it worked fine .

Thank you for your help.

Appreciated

zahi

Shazni Ibrahim · ‎11-02-2018

@Tarik Admani wrote:

make sure that the entry is not redirecting remediation traffic.

This is an old thread but I have the same issue (ISE 2.2 and wired remediation).

I didn't quite get the statement above. Would you elaborate more on how to achieve that?

My current situation:

1) dACL in ISE: DACL_AGENT_REDIRECT

deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny udp any host <ISE IP> eq 8905
deny tcp any host <ISE IP> eq 8905
deny tcp any host <ISE IP> eq 8909
deny udp any host <ISE IP> eq 8909
deny tcp any host <ISE IP> eq 8443

permit ip any host xx.xx.xx.xx(AV server)

2) ACL in switch: ACL_AGENT_REDIRECT

permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit udp any host <ISE IP> eq 8905
permit tcp any host <ISE IP> eq 8905
permit tcp any host <ISE IP> eq 8909
permit udp any host <ISE IP> eq 8909
permit tcp any host <ISE IP> eq 8443

permit ip any host xx.xx.xx.xx(AV server)

When AnyConnect is scanning, it will prompt message of AV check failure and keep redirecting back to posture portal. (when in actuality it suppose to redirect to the AV server)

Is there anything that I'm missing out?

Your kind advise highly appreciated.

Shazni Ibrahim · ‎11-02-2018

**Correction: wrongly paste in previous reply

1) dACL in ISE: DACL_AGENT_REDIRECT
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit udp any host <ISE IP> eq 8905
permit tcp any host <ISE IP> eq 8905
permit tcp any host <ISE IP> eq 8909
permit udp any host <ISE IP> eq 8909
permit tcp any host <ISE IP> eq 8443
permit ip any host xx.xx.xx.xx(AV server)

2) ACL in switch: ACL_AGENT_REDIRECT
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny udp any host <ISE IP> eq 8905
deny tcp any host <ISE IP> eq 8905
deny tcp any host <ISE IP> eq 8909
deny udp any host <ISE IP> eq 8909
deny tcp any host <ISE IP> eq 8443
deny ip any host xx.xx.xx.xx(AV server)

hslai · ‎11-03-2018

2) ACL in switch: ACL_AGENT_REDIRECT
...
deny ip any host xx.xx.xx.xx(AV server)

When AnyConnect is scanning, it will prompt message of AV check failure and keep redirecting back to posture portal. (when in actuality it suppose to redirect to the AV server)

I would suggest you to double check your remediation, which would link directly to the AV server site. Good to use wireshark to confirm that the endpoint making requests to the AV server but not some other sites.

Once confirmed, then please engage Cisco TAC to troubleshoot why Cisco IOS switch triggering redirects to the AV server, which should have exempted from the web redirect.