ISE issue and re-direct to a portal

david.tran · ‎04-08-2013

I have an issue that I need help on. This has to do with wired 802.1x NOT wireless

I have a network Windows 2008R2 Active Directory Servers and ISE version 1.1.2 patch-5. The ISE is

integrated with Active Directory without any issues. The supplicant is native Windows 7 Enterprise 64bits.

I've configured Windows 7 suplicant for "User or Machine authentication". on the ISE Authentication rule, I

configure the ISE for 802.1x with ACtive Directory called CCIESEC. On the authorization rule, I've

configured 802.1x and was machine authticated equals true. I also have another rule that states "machine

auththenticated begins with "/host". That will permit access. Default rule is "deny access".

I've also set the Machine Access Restrictions (MAR) to 1 hour for testing purpose. After one hour, the

machine must be rebooted or they will not have access to the network. I've setup "close" mode (aka high

impact mode). Everything is working almost as expected.

Here is what I would like to do:

1- user connects Windows 7 machine to the network. When the CTL-ALT-DELETE appears, the machine will be

machine authenticated. When the user type in the Active Directory password, it will be "user authenticated".

it is working now.

2- After 1 hour, the MAR expires, meaning that the machine will no longer has network access. when the user types in the user/password, I want the browser to popup and re-direct the user to a html portal saying something like "this machine will need to be rebooted in order to have network connectivity restore".

How would go about doing this in step 2? please help with detail steps.

Thanks in advance.

bhthapa · ‎04-10-2013

Please check this......

1.) Please check that the two Cisco av-pairs, configured on the authorization profile should exactly match the example below. (Note: Do not replace the “IP” with the actual Cisco ISE IP address.)

– url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp

– url-redirect-acl=ACL-WEBAUTH-REDIRECT (please ensure that this ACL is also defined on the access switch)

2.)Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip command on the switch. (Where the session IP is the IP address that is passed to the client

machine by the DHCP server.)

i.e.

Admission feature : DOT1X

AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e

URL Redirect ACL : ACL-WEBAUTH-REDIRECT

URL Redirect :

https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A720000A45A2444BFC2&action=cpp

3.) Also make sure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:

remark Allow DHCP

permit udp any eq bootpc any eq bootps

remark Allow DNS

permit udp any any eq domain

remark ping

permit icmp any any

permit tcp any host 80.0.80.2 eq 443 -->for URL redirect

permit tcp any host 80.0.80.2 eq www --> to provides access to internet

permit tcp any host 80.0.80.2 eq 8443 --> for guest portalport

permit tcp any host 80.0.80.2 eq 8905 --> for posture communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8905 -->for posture communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8906 -->for posture communication between NAC agent and ISE (Swiss ports)

deny ip any any

4.) Please also ensure that the above URL Redirect has the proper Cisco ISE FQDN.

As per your confirmation, I am going to close the case for this specific inquiry. We strive to provide you with excellent service. Please feel free to reach out to me or any member of the SAC team if we can be of any further assistance or if you have any other related questions in the future. We value your input and look forward to serving you moving forward.