Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3195
Views
0
Helpful
1
Replies

ISE posture redirect not working

grant.maynard
Level 4
Level 4

‎06-23-2012 02:35 AM - edited ‎03-10-2019 07:13 PM

ISE v1.1.0.665, 3395 h/w.

Single Admin/Monitor/Policy node.

WS-C3560-48TS      12.2(55)SE5           C3560-IPBASEK9-M

For Client Provisioning I created an authorisation policy as follows:

download acl "ACL-POSTURE-REMEDIATION"

apply url redirect "ACL-POSTURE-REDIRECT".

"Debug radius" shows all this is downloaded to the switch but:

- Redirect does not work.

- dACL is not applied if the URL redirect is also configured.

Wireshark on the client shows no direct.

Attached file shows "debug radius" for various combinations of authorisation policy i.e. dACL only, Redirect only, dACL + Redirect.

I've also attached screen shots of these policies and wireshark.

Labels:
Preview file
195 KB
Preview file
200 KB
130319-debug.txt.zip
Preview file
184 KB
Preview file
210 KB
0 Helpful
1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

‎06-23-2012 08:51 PM

Grant,

It looks like you are changing the vlan after your client gets an ip address, it seems like the client gets an ip address of

192.168.16.164 and you are changing the vlan over to 516. I wanted to know if that is there isnt an ip to vlan mismatch before you move forward. If 516 is quarantine vlan you may want to start all clients on that vlan and use dynamic vlan assignment through change of authorization once a client becomes compliant. The reason is is that you can use the web portal, or the nac agent to change the ip address once the vlan is changed.

Thanks,

Tarik Admani

0 Helpful
Customers Also Viewed These Support Documents