09-10-2021 09:58 AM
I am facing a very frustrating issue with newly imaged machines. Even when they have all the GPOs when connecting to wired or wireless the redirection to ISE does not happen. Proved this with a wireshark capture. They get redirected only when on VPN, the connectiondata.xml file gets created then there are no issues. They get redirected on wired/wireless
Spent countless hours troubleshooting this, I'm at loss as to what is happening. All the configurations are correct, ACLs are correct.
What other ways are there to redirect a user to the ISE portal for provisioning besides the dACL/ACL method
09-10-2021 11:50 AM
Hi @erga ,
if my understanding is correct, you are talking about Posture - from Unknown to Compliant.
In your case it looks like that Wired & Wireless reach the Posture status Unknown, but there is no redirection to Posture status Compliant.
if this is your case, please take a look at: ISE Posture Flow in ISE 2.2 Compared to Earlier ISE Versions, search for Posture Flow in ISE 2.2.
"...
Step 12. In ISE 2.2, Posture process is divided into two stages. First stage contains set of traditional posture discovery probes to support backward compatibility with deployments which relays on URL Redirect.
...
Step 14.Stage two contains two discovery probes which allows AC ISE Posture Module to establish connection to the PSN where session is authenticated in environments where redirection is not supported. During stage two all probes are sequential.
..."
Hope this helps !!!
09-10-2021 04:16 PM
09-14-2021 06:05 AM
Things to consider/check:
-What are the differences in policy config between campus (wired/wireless) and VPN? Check Client Provisioning Policies/Posture Policies.
-What are the differences between your authz profiles for VPN and campus?
-I would verify settings in the ISEPostureCFG file.
-Do you have separate radius policies to support the 3 states: unknown, compliant, noncompliant?
-Have you run a DART bundle on a respective client that is failing?
-Lastly, have you looked here for tshoot help:
ISE Posture Prescriptive Deployment Guide - Cisco Community
HTH!
09-15-2021 06:13 AM
Thank you for the reply,
The authz profiles are all the same except for specific configurations to support VPN, wired and wireless. Wireless uses airspace-acl, VPN dacl is different than wired/wireless.
Yes, there are separate policies that support all 3 states.
I created a dart bundle, what I see is that enroll.cisco.com is not reachable – which should not be, its supposed to redirect the client to the ISE portal. Ran a wireshark capture and there is no attempt from the client to reach the ISE portal
The isepostureCFG.xml file never gets downloaded in the affected clients. The call home list is configured there.
Once the connectiondata.xml file gets created the redirection starts working.
I have a TAC case open for this as I’m not sure what else to look at.
One thing I haven’t tested is uploading the isepostureCFG.xml file manually in the client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide