Re: Ise reauthentication after antivirus check

Rovshan91 · ‎02-13-2022

Hello everybody. A have interesting problem. I have a rule on my cisco ise , that sends you to the portal and checks is there anyconnect and antivirus on your pc, after it gives you your vlan.

I have same config on 2 difference switches

C9200-48T 16.12.3a CAT9K_LITE_IOSXE

WS-C2960L-48TS-LL 15.2(7)E3 C2960L-UNIVERSALK9-M

and it unfortunately works in second one ( 2960 lite) but didn`t work on C9200

The only thing that i found strange that c9200 didn`t automatically create acl (Auth-Default-ACL-OPEN) but he must to do it so reauth works. (also 2960l do this thing)

Extended IP access list Auth-Default-ACL-OPEN
10 permit ip any any

Config example

ip access-list extended CISCO-CWA-URL-REDIRECT-ACL

10 deny udp any any eq domain
20 deny tcp any any eq domain
30 deny udp any eq bootps any
40 deny udp any any eq bootpc
50 deny udp any eq bootpc any
60 deny tcp any any eq 8443
70 deny udp any any eq 8443
80 permit tcp any any eq domain
90 permit tcp any any eq www
authentication command bounce-port ignore
authentication command disable-port ignore

aaa server radius dynamic-author
client *.*.*.*

server-key xxxxxxxxxxx
auth-type all
ignore session-key
ignore server-key

The ony thing that i found

Aref Alsouqi · ‎02-14-2022

I don't believe you would need that ACL to get this to work, I think in this case the CoA would be the key factory to trigger the reauthentication. Probably the 9200 switch is not configured correctly for the CoA? or maybe has some wrong CoA configs on ISE?

Rovshan91 · ‎02-14-2022

Without this acl 90% of traffic is blocked + same config works on WS-C2960L-48TS-LL, only difference is this acl

Aref Alsouqi · ‎02-15-2022

Are there any other ACLs applied to the switch ports by default?

Rovshan91 · ‎02-16-2022

No, also this one must be created automatically when authentication started