I am facing a very frustrating issue with newly imaged machines. Even when they have all the GPOs when connecting to wired or wireless the redirection to ISE does not happen. Proved this with a wireshark capture. They get redirected only when on VPN, the connectiondata.xml file gets created then there are no issues. They get redirected on wired/wireless
Spent countless hours troubleshooting this, I'm at loss as to what is happening. All the configurations are correct, ACLs are correct.
What other ways are there to redirect a user to the ISE portal for provisioning besides the dACL/ACL method
Step 12. In ISE 2.2, Posture process is divided into two stages. First stage contains set of traditional posture discovery probes to support backward compatibility with deployments which relays on URL Redirect.
Step 14.Stage two contains two discovery probes which allows AC ISE Posture Module to establish connection to the PSNwhere session is authenticated in environments where redirection is not supported. During stage two all probes are sequential.
Thank you, I configured the call home list and its still not working. I'm not in front of the machine to check the content of the ISEPostureCFG file. By looking at the auth details in the switch the applied URL is correct. From my capture the machine is not attempting to go the ISE server.
The authz profiles are all the same except for specific configurations to support VPN, wired and wireless. Wireless uses airspace-acl, VPN dacl is different than wired/wireless.
Yes, there are separate policies that support all 3 states.
I created a dart bundle, what I see is that enroll.cisco.com is not reachable – which should not be, its supposed to redirect the client to the ISE portal. Ran a wireshark capture and there is no attempt from the client to reach the ISE portal
The isepostureCFG.xml file never gets downloaded in the affected clients. The call home list is configured there.
Once the connectiondata.xml file gets created the redirection starts working.
I have a TAC case open for this as I’m not sure what else to look at.
One thing I haven’t tested is uploading the isepostureCFG.xml file manually in the client.