03-06-2013 07:55 AM - edited 03-10-2019 08:09 PM
Hi Experts,
i have the following challenge. I will try to be synthetic.
ISE 1.1.2.145
WLC 7.3
Wireless clients, dot1x eap peap, posture required.
Clients should download the nac agent through redirection.
So, i have an authorization policy that, for posture status= unknown, apply a redirect av, in the form:
"https://ip:port:8443/.....action=cpp
the access list is correctly applied on wlc.
The challenge is, it works for http traffic, but dont work for https traffic or if the browser is using a proxy (port 3128, 8080 etc).
In case you wonder, the access-list on wlc:
permit icmp, dns
permit traffic to the PDPs
deny all else.
Thanks
Andrea
03-09-2013 02:10 PM
Did you try using TcpDump on the PSN you should be redirected to, to verify if the traffic is actually hitting the node? Could the traffic be filtered by a firewall, or a proxy setting on the client's PCs?
Sent from Cisco Technical Support iPad App
03-10-2013 01:35 PM
You may want to consider, explicity denying the proxy traffic in the WLC ACL and see if that resolves your issue. You may need to get clarification from Cisco TAC to see when the client is in the WEBAUTH state that it only listens for http traffic.
You may want to consider using this option (however I do not if this will work for radius webauth redirection) -
Thanks,
Tarik Admani
*Please rate helpful posts*
03-11-2013 03:38 AM
Hi,
thanks for reply.
i already tried to deny traffic for https and proxy request in the ACL applied to the WLC via ISE.
The client state is not WEBAUTHD but POSTUREREQD (sorry, i dont remember the exact wording but i think you get the idea.
I'll also follow your suggestion about the TAC.
Andrea
03-11-2013 03:35 AM
Hi,
thanks for reply.
Yes, there's a proxy settings on the browser.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide