04-08-2013 06:43 PM - edited 03-10-2019 08:17 PM
I have an issue that I need help on. This has to do with wired 802.1x NOT wireless
I have a network Windows 2008R2 Active Directory Servers and ISE version 1.1.2 patch-5. The ISE is
integrated with Active Directory without any issues. The supplicant is native Windows 7 Enterprise 64bits.
I've configured Windows 7 suplicant for "User or Machine authentication". on the ISE Authentication rule, I
configure the ISE for 802.1x with ACtive Directory called CCIESEC. On the authorization rule, I've
configured 802.1x and was machine authticated equals true. I also have another rule that states "machine
auththenticated begins with "/host". That will permit access. Default rule is "deny access".
I've also set the Machine Access Restrictions (MAR) to 1 hour for testing purpose. After one hour, the
machine must be rebooted or they will not have access to the network. I've setup "close" mode (aka high
impact mode). Everything is working almost as expected.
Here is what I would like to do:
1- user connects Windows 7 machine to the network. When the CTL-ALT-DELETE appears, the machine will be
machine authenticated. When the user type in the Active Directory password, it will be "user authenticated".
it is working now.
2- After 1 hour, the MAR expires, meaning that the machine will no longer has network access. when the user types in the user/password, I want the browser to popup and re-direct the user to a html portal saying something like "this machine will need to be rebooted in order to have network connectivity restore".
How would go about doing this in step 2? please help with detail steps.
Thanks in advance.
04-10-2013 10:44 AM
Please check this......
1.) Please check that the two Cisco av-pairs, configured on the authorization profile should exactly match the example below. (Note: Do not replace the “IP” with the actual Cisco ISE IP address.)
– url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
– url-redirect-acl=ACL-WEBAUTH-REDIRECT (please ensure that this ACL is also defined on the access switch)
2.)Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip
machine by the DHCP server.)
i.e.
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A720000A45A2444BFC2&action=cpp
3.) Also make sure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 -->for URL redirect
permit tcp any host 80.0.80.2 eq www --> to provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> for guest portalport
permit tcp any host 80.0.80.2 eq 8905 --> for posture communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 -->for posture communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 -->for posture communication between NAC agent and ISE (Swiss ports)
deny ip any any
4.) Please also ensure that the above URL Redirect has the proper Cisco ISE FQDN.
As per your confirmation, I am going to close the case for this specific inquiry. We strive to provide you with excellent service. Please feel free to reach out to me or any member of the SAC team if we can be of any further assistance or if you have any other related questions in the future. We value your input and look forward to serving you moving forward.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide