Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
736
Views
4
Helpful
5
Replies

ISE Posture - Automatic Redirection to Client Provisioning Portal

Danny Dulin
Level 1
Level 1

‎04-17-2025 06:11 AM

When I connect to my VPN headend (FTD 7.2.9) I make it through authentication and authorization. ISE recognizes my host as "Posture Unknown", but no browser pops-up automatically with the Client Provisioning Portal. If I open a browser and navigate to an http site, redirection works.

The redirect ACL name is exactly the same on the FTD and in the ISE Authorization Policy.

The redirection ACL denies DNS, DHCP and ISE from redirection and permits all else.

Packet capture shows host never attempts to access an http site over my VPN tunnel, which I suppose is the reason the automatic redirect doesn't work.

I have seen more than one video that demonstrates the browser automatically launching after the VPN connection is established.


Any help will be greatly appreciated.

5 Replies 5

smilic
Level 1
Level 1

‎08-29-2025 12:02 AM

I used OnConnect script (need to be enabled in anyconnect profile to work) that opens http://enroll.cisco.com, IP 72.163.1.80 is configured in split tunnel ACL, and redirect ACL catches it. But, I used this only for external partners & temporary agent. For employees it's better if you preprovision ISEPosture.cfg file and ISE posture agent, and configure ISE hosts in cfg file, then posture client knows where are ISE hosts and can connect to them without browser redirection.

 

0 Helpful

ahollifield
VIP
VIP

‎09-03-2025 05:05 AM

Have you looked at redirectionless posture instead? Also why 7.2.9 and not something newer?

0 Helpful

Danny Dulin
Level 1
Level 1
In response to ahollifield

‎09-03-2025 05:37 AM

No I haven't looked at redirectionless  posture.

7.2.9 because we still have Firepower 4110's that are incompatible with anything above 7.2. Moving away from these in the future.

ahollifield
VIP
VIP
In response to Danny Dulin

‎09-03-2025 05:51 AM

Got it, I would highly recommend looking at redirectionless posture instead. It's a much better user experience.

https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw/firepower-4110-series-security-appliances-eol.html

MHM Cisco World
VIP
VIP

‎09-03-2025 05:55 AM

Screenshot (322).png
check posture in client side

MHM

0 Helpful
Customers Also Viewed These Support Documents