ISE client provisioning with wlc 7.3

andreagentile71 · ‎03-06-2013

Hi Experts,

i have the following challenge. I will try to be synthetic.

ISE 1.1.2.145

WLC 7.3

Wireless clients, dot1x eap peap, posture required.

Clients should download the nac agent through redirection.

So, i have an authorization policy that, for posture status= unknown, apply a redirect av, in the form:

"https://ip:port:8443/.....action=cpp

the access list is correctly applied on wlc.

The challenge is, it works for http traffic, but dont work for https traffic or if the browser is using a proxy (port 3128, 8080 etc).

In case you wonder, the access-list on wlc:

permit icmp, dns

permit traffic to the PDPs

deny all else.

Thanks

Andrea

stojanr · ‎03-09-2013

Did you try using TcpDump on the PSN you should be redirected to, to verify if the traffic is actually hitting the node? Could the traffic be filtered by a firewall, or a proxy setting on the client's PCs?

Sent from Cisco Technical Support iPad App

Tarik Admani · ‎03-10-2013

You may want to consider, explicity denying the proxy traffic in the WLC ACL and see if that resolves your issue. You may need to get clarification from Cisco TAC to see when the client is in the WEBAUTH state that it only listens for http traffic.

You may want to consider using this option (however I do not if this will work for radius webauth redirection) -

http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_01000100.html

Thanks,

Tarik Admani
*Please rate helpful posts*

andreagentile71 · ‎03-11-2013

Hi,

thanks for reply.

i already tried to deny traffic for https and proxy request in the ACL applied to the WLC via ISE.

The client state is not WEBAUTHD but POSTUREREQD (sorry, i dont remember the exact wording but i think you get the idea.

I'll also follow your suggestion about the TAC.

Andrea

andreagentile71 · ‎03-11-2013

Hi,

thanks for reply.

Yes, there's a proxy settings on the browser.