11-13-2014 08:19 PM - edited 03-10-2019 10:10 PM
Dear Experts,
From ISE 2.x I am able to ping the proxy server but once windows user authenticated and logs in, he cannot go to the internet and gets proxy error.
Let me know some points and vectors to look into !!!
waiting.
11-13-2014 09:44 PM
Hmm, once you are authenticated, ISE is sort of out of the picture. Are you returning a dACL (wired) or referencing some sort of an ACL on the WLC (Wireless)?
Thank you for rating helpful posts!
11-13-2014 11:17 PM
Dear Neno
Thanks for your reply, I am using wired network.
yes i am using DACL for testing purpose i am using permit ip any any.
and even i can see that ACL on on switch side with below command
show auth sess int gig0/19
But the problem is that when i am trying to open any web page it is showing proxy server unreachable.
Is any thing we have to do on Cisco ISE to redirect that traffic ?
11-13-2014 11:34 PM
The only time ISE would perform traffic redirection is when you doing things like CWA (Central Web Authentication), Posture Assessment, etc. If you are just doing basic dot1x/mab authentication then ISE just decides who gets on the network and what type of access that person/devices gets.
With that being said, what happens if you remove dot1x authentication from the port? Can the client reach ISE then? (you can quickly remove dot1x by issuing no authentication port-control auto)
Other things to try:
1. Remove the dACL
2. In the authorization rule, return the default "permit access"
3. Remove the ACL on the FW
4. Anything else that might be affecting the connection
With the process of elimination you should be able to find the root cause of the issue
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide