cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1438
Views
15
Helpful
4
Replies

ISE wireless CPP with redirect exclusions, possible?

bigslacker666
Level 1
Level 1

Hi all, a little bit of a tricky situation here. I've got a wireless network and ISE 1.1.1. The wireless is mixed 7.0 and 7.3 code.

On an ISE wired installation it's easy to have an authorization rule that URL redirects users to the client provisioning portal *BUT* to have a redirect ACL on the switch with deny statements that excludes specific websites from the redirection. This is done so users can click on remediation links from the NAC Agent and get to websites to download anti-virus, sig updates, windows updates, etc... but all other web attempts get redirected to the CPP.

All fine and it works perfectly on the wired network. HOWEVER, I can't seem to find a similar way to do this on the wireless network. While you can create a posture redirection policy to send them to the CPP with an ACL, that ACL seems to only permit or deny traffic per a standard ACL. Meaning a user gets on but any attempt to go anywhere in a browser redirects to the CPP. This makes it impossible to get to the remediation pages.

Is there any way to accomplish what I'm trying to do here? It seems like it should be a basic function.

1 Accepted Solution

Accepted Solutions

Sorry I had some personal issues to deal with and just got a chance to follow up on this. Firs of all, good job on figuring it out and posting the findings back here! (+5) from me for that!

To answer your questions:

#1. You are 100% about the logic on the WLC ACLs vs Switch ACLs. On switches "deny" means "don't redirect" the traffic, thus permit it on the network. On the WLCs "deny" means "redirect" the traffic, hence don't allow it on the network. I am not sure why Cisco did this but different BUs, different teams, etc

#2. You are also correct on this one. Your vWLC and ISE are working as expected. While switches support dACLs, WLCs only support "named ACL." As a result, when referencing ACLs on ISE for wireless, that ACL has to exist on the WLC and it MUST BE NAMED THE SAME or it won't work.

Hope this helps. If you issues are resolved please mark the thread as "answered"

Thank you for rating!

Thank you for rating helpful posts!

View solution in original post

4 Replies 4

nspasov
Cisco Employee
Cisco Employee

With version 7.2 and above you can. You can check the BYOD design guides for detailed instructions:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html

With version 7.0 WebAuth+Posture is not possible.

Thank you for rating helpful answers!

Thank you for rating helpful posts!

Maybe I'm thick, but I don't see where in that doc there is a way to exclude a remediation website from the url redirect. Could you give some kind of reference as to what you're describing? I looked near figure 77 and 78 which only describes CWA (similar) but nothing about an exclusion of the redirect in the ACL.

bigslacker666
Level 1
Level 1

So to answer my own Q here, the ACL you enter under the webauth->posture section in the authorization profile is what controls this. Although it's not mentioned in the docs anywhere that I've found, anything with a permit statement is excluded from the redirect.

My issue was that my vWLC would only accept airespace ACLs. I'm not sure if thats a bug or if there is just something wrong/corrupt with my vWLC specifically. In any case, problem solved and hopefully this will show up on any searches someone else may have on this issue

Sorry I had some personal issues to deal with and just got a chance to follow up on this. Firs of all, good job on figuring it out and posting the findings back here! (+5) from me for that!

To answer your questions:

#1. You are 100% about the logic on the WLC ACLs vs Switch ACLs. On switches "deny" means "don't redirect" the traffic, thus permit it on the network. On the WLCs "deny" means "redirect" the traffic, hence don't allow it on the network. I am not sure why Cisco did this but different BUs, different teams, etc

#2. You are also correct on this one. Your vWLC and ISE are working as expected. While switches support dACLs, WLCs only support "named ACL." As a result, when referencing ACLs on ISE for wireless, that ACL has to exist on the WLC and it MUST BE NAMED THE SAME or it won't work.

Hope this helps. If you issues are resolved please mark the thread as "answered"

Thank you for rating!

Thank you for rating helpful posts!