02-15-2013 10:17 AM - edited 03-10-2019 08:05 PM
Hi all, a little bit of a tricky situation here. I've got a wireless network and ISE 1.1.1. The wireless is mixed 7.0 and 7.3 code.
On an ISE wired installation it's easy to have an authorization rule that URL redirects users to the client provisioning portal *BUT* to have a redirect ACL on the switch with deny statements that excludes specific websites from the redirection. This is done so users can click on remediation links from the NAC Agent and get to websites to download anti-virus, sig updates, windows updates, etc... but all other web attempts get redirected to the CPP.
All fine and it works perfectly on the wired network. HOWEVER, I can't seem to find a similar way to do this on the wireless network. While you can create a posture redirection policy to send them to the CPP with an ACL, that ACL seems to only permit or deny traffic per a standard ACL. Meaning a user gets on but any attempt to go anywhere in a browser redirects to the CPP. This makes it impossible to get to the remediation pages.
Is there any way to accomplish what I'm trying to do here? It seems like it should be a basic function.
Solved! Go to Solution.
02-22-2013 11:56 AM
Sorry I had some personal issues to deal with and just got a chance to follow up on this. Firs of all, good job on figuring it out and posting the findings back here! (+5) from me for that!
To answer your questions:
#1. You are 100% about the logic on the WLC ACLs vs Switch ACLs. On switches "deny" means "don't redirect" the traffic, thus permit it on the network. On the WLCs "deny" means "redirect" the traffic, hence don't allow it on the network. I am not sure why Cisco did this but different BUs, different teams, etc
#2. You are also correct on this one. Your vWLC and ISE are working as expected. While switches support dACLs, WLCs only support "named ACL." As a result, when referencing ACLs on ISE for wireless, that ACL has to exist on the WLC and it MUST BE NAMED THE SAME or it won't work.
Hope this helps. If you issues are resolved please mark the thread as "answered"
Thank you for rating!
02-15-2013 08:23 PM
With version 7.2 and above you can. You can check the BYOD design guides for detailed instructions:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html
With version 7.0 WebAuth+Posture is not possible.
Thank you for rating helpful answers!
02-16-2013 03:43 PM
Maybe I'm thick, but I don't see where in that doc there is a way to exclude a remediation website from the url redirect. Could you give some kind of reference as to what you're describing? I looked near figure 77 and 78 which only describes CWA (similar) but nothing about an exclusion of the redirect in the ACL.
02-21-2013 09:40 AM
So to answer my own Q here, the ACL you enter under the webauth->posture section in the authorization profile is what controls this. Although it's not mentioned in the docs anywhere that I've found, anything with a permit statement is excluded from the redirect.
My issue was that my vWLC would only accept airespace ACLs. I'm not sure if thats a bug or if there is just something wrong/corrupt with my vWLC specifically. In any case, problem solved and hopefully this will show up on any searches someone else may have on this issue
02-22-2013 11:56 AM
Sorry I had some personal issues to deal with and just got a chance to follow up on this. Firs of all, good job on figuring it out and posting the findings back here! (+5) from me for that!
To answer your questions:
#1. You are 100% about the logic on the WLC ACLs vs Switch ACLs. On switches "deny" means "don't redirect" the traffic, thus permit it on the network. On the WLCs "deny" means "redirect" the traffic, hence don't allow it on the network. I am not sure why Cisco did this but different BUs, different teams, etc
#2. You are also correct on this one. Your vWLC and ISE are working as expected. While switches support dACLs, WLCs only support "named ACL." As a result, when referencing ACLs on ISE for wireless, that ACL has to exist on the WLC and it MUST BE NAMED THE SAME or it won't work.
Hope this helps. If you issues are resolved please mark the thread as "answered"
Thank you for rating!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide