Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
924
Views
4
Helpful
8
Replies

ISE posture ACL

Turki.A.Baqatada
Level 1
Level 1

ā€Ž07-27-2025 11:28 AM

Hi 

I am configuring wired posture with web redirect and everything looks good even endpoints got the url acl but there is still access to cisco ise which i denied in url acl then i found also taking the default permit acl in the switch so when i denied ip any any fixed the ise access but still  no redirect happens and also pc not able to  get an ip

So my question do i have to add some lines in the default acl to permit some ports and hosts if so could you please mention that to fix web redirection 

 

Thanks in advance 

0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

ā€Ž07-27-2025 11:40 AM

@Turki.A.Baqatada you use Redirection ACL for Client Provisioning , Central Web Authentication , and Posture Discovery and a DACL is used to limit Network Access to only the required resources and is applied only to non redirected Traffic.

https://community.cisco.com/t5/security-knowledge-base/configuring-posture-services-with-the-cisco-identity-services/ta-p/3154278

 

Turki.A.Baqatada
Level 1
Level 1
In response to Rob Ingram

ā€Ž07-27-2025 11:26 PM

Thanks @Rob Ingram I will try this

0 Helpful

MHM Cisco World
VIP
VIP

ā€Ž07-27-2025 11:42 AM

Redirect ACL need to be 

Deny from and to ISE IP

Permit IP any any in end 

MHM

ammahend
VIP Alumni
VIP Alumni

ā€Ž07-27-2025 07:28 PM

"no redirect happens and also pc not able to get an ip" 
you can not expect a redirect without an IP on PC, so fix DHCP issue first, then DNS (essential for redirect to work, unless you are using static IP for redirect URL), follow the ACL in link refereed by Rob

-hope this helps-
0 Helpful

Turki.A.Baqatada
Level 1
Level 1
In response to ammahend

ā€Ž07-27-2025 11:24 PM

Thanks @ammahend yes I know that and i am asking what is the best DACL that will fix issue becuse it is working with default ACL which permit any any and redirect happens i tried to fix it by deny and i got another which no ip assignment 

0 Helpful

Turki.A.Baqatada
Level 1
Level 1
In response to bonnie22hell

ā€Ž07-28-2025 11:34 PM

Actually I have 2 ACLs needs to be configured 

1- ACL configured in the switch that allow access to ISE to authenticate

2- URL ACL which I deny access to ISE and permit 80 443

If thats right what should both ACLs contain lines 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Turki.A.Baqatada

ā€Ž07-29-2025 01:32 AM

Most engineer confuse here 

There are indeed two ACL

Pre auth ACL.

Allow traffic to dhcp/dns/https to ISE

Redirect ACL (this not real acl' but it use to inform SW if you see this traffic redirect to ISE)

Deny traffic to ISE 

Permit any any https/http

MHM

Rob Ingram
VIP
VIP
In response to Turki.A.Baqatada

ā€Ž07-29-2025 03:26 AM

@Turki.A.Baqatada the following screenshot from the Cisco guides, this is a good illustration of the configuration of the redirect ACL and the DACL.

RobIngram_0-1753784664569.png

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

 

0 Helpful
Customers Also Viewed These Support Documents