Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7063
Views
5
Helpful
10
Replies

No URL redirect via ASA

Go to solution
Tmsna
Level 1
Level 1

‎10-05-2018 08:18 AM

Hello,

 

I'm configuring ISE to perform posture over wired and VPN. Over wired the redirect is working (even if the browser doesn't load the page), but on VPN I'm not redirected to ISE. The client is still able to find the policy servers using the connectiondata.xml file (downloaded from ISE in automatic), but I think it might stop working in any moment.

 

This is the ACL on the ASA:

access-list redirect extended deny ip any host (AV)

access-list redirect extended permit ip any any eq 80

access-list redirect extended permit ip any any eq 443.

 

And on ISE I have this:

DACL = ACL-Posture-remediation

cisco-av-pair = url-redirect-acl=redirect

cisco-av-pair = url-redirect = https://ip:port/portal. ....... =cpp (client provisioning portal)

 

This is the same configuration I have for the switch.

 

Can someone assist, please?

 

Regards,

Albert

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-21-2018 03:17 AM - edited ‎10-21-2018 03:19 AM

Please ensure a valid DiscoveryHost configured in an ISE Posture profile and deployed it in ASA, because enroll.cisco.com and the default gateway often do not work for URL redirects for VPN use case. Below are some example configurations: 

myASAv# more ISEPostureCFG.xml
<?xml version="1.0" encoding="UTF-8"?>
<cfg
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns='http://www.cisco.com/nac/agent/config-1.0'
xsi:schemaLocation='http://www.cisco.com/nac/agent/config-1.0 ISEPostureCFG.xsd'>
<configName>ISEPostureCFG_acprof353783742459450790.xml</configName>
<NacAnyConnectDrpDown>AnyConnectAgent</NacAnyConnectDrpDown>
<OperateOnNonDot1XWireless>0</OperateOnNonDot1XWireless>
<BackOffTimerLimit>30</BackOffTimerLimit>
<LogTrace>0</LogTrace>
<RemediationTimer>4</RemediationTimer>
<DhcpRenewDelay>1</DhcpRenewDelay>
<CallHomeList>myISE.demo.local:8443</CallHomeList>
<LogFileSize>5</LogFileSize>
<PRARetransmissionTime>120</PRARetransmissionTime>
<EnableAgentIpRefresh>1</EnableAgentIpRefresh>
<NetworkTransitionDelay>3</NetworkTransitionDelay>
<PingArp>0</PingArp>
<PingMaxTimeout>1</PingMaxTimeout>
<DhcpReleaseDelay>4</DhcpReleaseDelay>
<StealthWithNotification>0</StealthWithNotification>
<SignatureCheck>0</SignatureCheck>
<DiscoveryHost>10.1.100.10</DiscoveryHost>
<StealthMode>0</StealthMode>
<EnableRescanButton>1</EnableRescanButton>
<VlanDetectInterval>0</VlanDetectInterval>
<DisableUAC>0</DisableUAC>
<ServerNameRules>myISE.demo.local</ServerNameRules>
<PeriodicProbing>3</PeriodicProbing>
</cfg>

myASAv# show running-config group-policy
group-policy DfltGrpPolicy attributes
dns-server value 10.1.100.10
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value demo.local
webvpn
anyconnect modules value dart,iseposture
anyconnect profiles value ise-vpn-lab type user
anyconnect profiles value ISEPosture1 type iseposture
myASAv#
myASAv# show run webvpn
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.6.01103-webdeploy-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-linux64-4.6.01103-webdeploy-k9.pkg 2 regex "Linux"
anyconnect image disk0:/anyconnect-macos-4.6.01103-webdeploy-k9.pkg 3 regex "Intel Mac OS X"
anyconnect profiles ISEPosture1 disk0:/ISEPostureCFG.xml
anyconnect profiles ise-vpn-lab disk0:/ise-vpn-lab.xml
anyconnect enable
cache
disable
error-recovery disable

View solution in original post

0 Helpful
10 Replies 10

Go to solution
paul
Level 10
Level 10

‎10-05-2018 08:21 PM - edited ‎10-08-2018 05:24 AM

Are you doing split tunneling?  If you are doing split tunneling you probably aren't going to catch any of the posture module default calls.  There will be no default gateway port 80 request and your split tunnel ACL probably doesn't include the IP for enroll.cisco.com.  Add the IP for enroll.cisco.com to your split tunnel ACL and see if that helps.

Go to solution
Tmsna
Level 1
Level 1
In response to paul

‎10-07-2018 11:49 PM

Hi Paul,

I don’t have split tunnel configured.
Can you please clarify the meaning of your sentence when you say that without split tunneling I won’t catch any HTTP traffic?

Albert
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Tmsna

‎10-08-2018 05:25 AM

Sorry that was a typo. It was supposed to say "If you are doing..." I correct the original reply. Check the VPN details for the client from the ASA or ASDM to see if the redirect is being applied.


0 Helpful

Go to solution
Tmsna
Level 1
Level 1
In response to paul

‎10-08-2018 05:28 AM

I can see using the diagnostic tool that it is failing to contact default gateway or enroll.cisco.com, but I don’t understand why.
If I try telnet in port 80, it works.


0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Tmsna

‎10-08-2018 05:31 AM

Like I said pull up ASDM, find the client on the VPN client connection monitoring and click on details. You should see information about the redirect in there. At least verify the ASA is applying the redirect.


0 Helpful

Go to solution
Tmsna
Level 1
Level 1
In response to paul

‎10-17-2018 03:50 AM

Hi Paul,

 

Sorry for my delay.

Today I was able to check ASDM at the same time of an user logging in.

I can see that there is the redirection on ASDM but still there is no redirection.

 

On wired I see a webpage opening automatically, instead for VPN nothing.

Also this is causing issue because some users cannot find the policy servre over VPN

Preview file
5 KB
0 Helpful

Go to solution
Tmsna
Level 1
Level 1
In response to Tmsna

‎10-17-2018 04:55 AM

Hi Paul,

 

I think I'm about to find the issue.

When I check the logs on ISE I can see:

Not able to find PPD session for (MAC address)

and on Dart logs I see:

Headend is empty. Possibly, content is not in the form 'X-ISE-PDP'

 

not sure what the issue is.

Just to describe you my deployment, I have two ISE in HA pair and I'm using these to authenticate, authorize and posture users over VPN and wired.

Do you see any issue with this?

 

0 Helpful

Go to solution
Tmsna
Level 1
Level 1
In response to Tmsna

‎10-17-2018 04:56 AM

Hi Paul,

 

I think I'm about to find the issue.

When I check the logs on ISE I can see:

Not able to find PPD session for (MAC address)

and on Dart logs I see:

Headend is empty. Possibly, content is not in the form 'X-ISE-PDP'

 

not sure what the issue is.

Just to describe what I have configured, I have two ISE in HA pair and I'm using these to authenticate, authorize and posture users over VPN and wired.

Do you see any issue with this?

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-21-2018 03:17 AM - edited ‎10-21-2018 03:19 AM

Please ensure a valid DiscoveryHost configured in an ISE Posture profile and deployed it in ASA, because enroll.cisco.com and the default gateway often do not work for URL redirects for VPN use case. Below are some example configurations: 

myASAv# more ISEPostureCFG.xml
<?xml version="1.0" encoding="UTF-8"?>
<cfg
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns='http://www.cisco.com/nac/agent/config-1.0'
xsi:schemaLocation='http://www.cisco.com/nac/agent/config-1.0 ISEPostureCFG.xsd'>
<configName>ISEPostureCFG_acprof353783742459450790.xml</configName>
<NacAnyConnectDrpDown>AnyConnectAgent</NacAnyConnectDrpDown>
<OperateOnNonDot1XWireless>0</OperateOnNonDot1XWireless>
<BackOffTimerLimit>30</BackOffTimerLimit>
<LogTrace>0</LogTrace>
<RemediationTimer>4</RemediationTimer>
<DhcpRenewDelay>1</DhcpRenewDelay>
<CallHomeList>myISE.demo.local:8443</CallHomeList>
<LogFileSize>5</LogFileSize>
<PRARetransmissionTime>120</PRARetransmissionTime>
<EnableAgentIpRefresh>1</EnableAgentIpRefresh>
<NetworkTransitionDelay>3</NetworkTransitionDelay>
<PingArp>0</PingArp>
<PingMaxTimeout>1</PingMaxTimeout>
<DhcpReleaseDelay>4</DhcpReleaseDelay>
<StealthWithNotification>0</StealthWithNotification>
<SignatureCheck>0</SignatureCheck>
<DiscoveryHost>10.1.100.10</DiscoveryHost>
<StealthMode>0</StealthMode>
<EnableRescanButton>1</EnableRescanButton>
<VlanDetectInterval>0</VlanDetectInterval>
<DisableUAC>0</DisableUAC>
<ServerNameRules>myISE.demo.local</ServerNameRules>
<PeriodicProbing>3</PeriodicProbing>
</cfg>

myASAv# show running-config group-policy
group-policy DfltGrpPolicy attributes
dns-server value 10.1.100.10
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value demo.local
webvpn
anyconnect modules value dart,iseposture
anyconnect profiles value ise-vpn-lab type user
anyconnect profiles value ISEPosture1 type iseposture
myASAv#
myASAv# show run webvpn
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.6.01103-webdeploy-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-linux64-4.6.01103-webdeploy-k9.pkg 2 regex "Linux"
anyconnect image disk0:/anyconnect-macos-4.6.01103-webdeploy-k9.pkg 3 regex "Intel Mac OS X"
anyconnect profiles ISEPosture1 disk0:/ISEPostureCFG.xml
anyconnect profiles ise-vpn-lab disk0:/ise-vpn-lab.xml
anyconnect enable
cache
disable
error-recovery disable

0 Helpful
Customers Also Viewed These Support Documents