Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1465
Views
0
Helpful
5
Replies

ISE Posture Pending

Wesoley
Level 1
Level 1

‎11-29-2016 12:59 PM - edited ‎03-11-2019 12:15 AM

Hello,

I am newly configuring and testing  Posturing/Client Provisioning on ISE.  I configured Client_Provisioning Policy with a Posture_Policy.

The redirection is being pushed to the switch but when the client opens a webpage they are not redirected to the ISE page.

See configs below

SW#show authentication sessions interface g1/0/44
            Interface:  GigabitEthernet1/0/44
          MAC Address:  00b5.6d00.6fc3
           IP Address:  10.128.32.58
            User-Name:  username
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-5484c0cc
     URL Redirect ACL:  TAC-Redirect
         URL Redirect:  https://10.128.1.20:8443/portal/gateway?sessionId=0A80041C00000A053AFFCBAC&portal=a2eef740-7e54-11e4-9ebe-005056bf01c7&action=cpp&token=4d8ad888c678873e7f8455b036b804c5
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A80041C00000A053AFFCBAC
      Acct Session ID:  0x00000AF8
               Handle:  0x9F000A06

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

Extended IP access list TAC-Redirect
    10 deny udp any eq bootpc any eq bootps
    20 deny udp any any eq domain
    30 deny ip any host 10.128.1.20
    40 deny ip any host 10.129.1.20
    50 permit tcp any any eq www
    60 permit tcp any any eq 443
    70 permit tcp any any eq 8443

The dynamic ACL xACSACLx-IP-PERMIT_ALL_TRAFFIC-5484c0cc is a permit ip any any

Any help would be greatly appreciated.

Labels:
0 Helpful
5 Replies 5

saifnetzone
Level 1
Level 1

‎12-01-2016 01:52 AM

hello ,

kindly access any local server web on your LAN . Most probably you will be redirected . 

0 Helpful

Wesoley
Level 1
Level 1
In response to saifnetzone

‎12-01-2016 02:52 AM

Saifnetzone,

I will try that this morning. I have always been trying to access a public url. However, I was doing a debug yesterday and look at what I was getting.

http://pastebin.com/4b5gGjR4

0 Helpful

saifnetzone
Level 1
Level 1
In response to saifnetzone

‎12-01-2016 05:21 AM

ISE Version 2.1

0 Helpful

Wesoley
Level 1
Level 1
In response to saifnetzone

‎12-01-2016 05:21 AM

I will try it and let you know. What version of ISE are you running?

What ACL do you have for your DACL?

0 Helpful

Wesoley
Level 1
Level 1
In response to saifnetzone

‎12-03-2016 04:53 PM

It somehow seemed to be a routing issue. The customer is doing routing for all VLANs on the core switch but not the one we were testing with. The setup is like this - access switch---->core switch. The default gw of the access switch is the core switch. The core switch has SVIs for all of the other VLANs but not the one we were testing with. Routing for that VLAN is done on the firewall. So I moved the user to another VLAN on the access switch and got the redirection page :) Thanks for your assistance.

0 Helpful
Customers Also Viewed These Support Documents