Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
0
Helpful
3
Replies

ISE inconsistant posture issue for guests...

spichai
Cisco Employee
Cisco Employee

‎11-26-2018 03:53 AM

Hi Team,

 

           We have the ISE 2.3 deployed at one of our customer and we are seeing an inconsistent issue for the PC's posturing and web redirection wherein it works good for few guest PC's and shows issue as unable to reach policy server for remaining. The more details are given below and seek your expert guidance on this. Log files and captures are also available in the SR-685644334...

 

Problem Description:

==================

  • We are trying to deploy ISE 2.3 temporal agent to proceed with posture in Amsterdam location. After finishing the configuration, we found that the redirect url is received at the test PC but the Page is not opening for some PC’s while it is working good for another PC.

 

Action Taken:

-------------------

  • We tried with multiple PC’s and could see one of the PC is working consistently and get’s redirected to ISE guest portal while the remaining 2 PC’s are not getting redirected to ISE portal.
  • We suspected the issues with DNS but the non-working PC is able to resolve the url using ns-lookup but when it tries redirection using browser, it is not working as the traffic is not coming back to ISE.
  • We tried by putting host entries as well on the non-working PC but still it is not working.
  • we changed the redirect URL settings on ISE to send the IP address instead of FQDN. After that we were able to get the redirect URL and reached the page where we can download the temporal agent
  • The same PC is working good if we enable MAB with mac address added in ISE. However, after that we got an error: Policy server not detected.
  • We are suspecting issues at the endpoints or DNS servers and requested their team to validate the endpoint pre-requisite at their end as given in the trailing email.

 

In ISE logs

--------------

 Result 

User-Name    A4-4C-C8-18-6E-89

State    ReauthSession:048E680A000011761D3726D4

Class    CACS:048E680A000011761D3726D4:CTSNLAMSVISE3/328277493/4193253

cisco-av-pair    url-redirect-acl=ACL_WEBAUTH_REDIRECT

cisco-av-pair    url-redirect=https://10.142.105.8:8443/portal/gateway?sessionId=048E680A000011761D3726D4&portal=283258a0-e96e-11e4-a30a-005056bf01c9&action=cpp&token=d0bf677e2b27b39a1603a283a752c900

cisco-av-pair    coa-skip-logical-profile=

 

 

Here is the posture log 

-------------------------------

 

[Fri Nov 16 17:16:10.072 2018][-=unknown=-]Function: GetIseDiscoveryAttr Thread Id: 0x738 File: C:\temp\build\thehoff\Mera_fcs0.0760282695592\Mera_fcs\posture\ise\libnaccommon\ExtractName.cpp Line: 339 Level: info :ISE Discovery attributes - FQDN(CTSNLAMSVISE3.CTS.COM), Port(8443), Session ID(JL8li4FjSLaV0bYYD3OEmg)

[Fri Nov 16 17:16:10.103 2018][-=unknown=-]Function: hs_transport_winhttp_get Thread Id: 0x738 File: C:\temp\build\thehoff\Mera_fcs0.0760282695592\Mera_fcs\posture\ise\libhstransport\hs_transport_winhttp.c Line: 4808 Level: debug :unable to send request: 12007

0 Helpful
3 Replies 3

paul
Level 10
Level 10

‎11-26-2018 05:22 AM

What does your ACL_WEBAUTH_REDIRECT look like?

0 Helpful

spichai
Cisco Employee
Cisco Employee
In response to paul

‎11-27-2018 12:58 AM

Here is the redirect ACL for validation...

 

ip access-list extended ACL_WEBAUTH_REDIRECT
 deny   udp any eq bootpc any eq bootps
 deny   udp any any eq domain
 deny   tcp any any eq domain
 deny   icmp any any
 deny   udp any host 10.142.105.8 eq 8443
 deny   tcp any host 10.142.105.8 eq 8443
 deny   tcp any any eq 8905
 deny   udp any any eq 8905
 deny   tcp any any eq 8909
 deny   udp any any eq 8909
 permit ip any any

0 Helpful

Surendra
Cisco Employee
Cisco Employee

‎11-28-2018 06:57 AM

you get this error when a TCP session to the server could not be established. Would recommend you to collect a packet capture on the PC and check what's breaking it.
0 Helpful
Customers Also Viewed These Support Documents