Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1143
Views
5
Helpful
5
Replies

Posture redirection behind IP-Phone

jay3
Level 1
Level 1

‎03-08-2020 07:00 AM

I need assistance in getting URL redirection for client provisioning to work when my PC is connected behind an IP-Phone.Redirection is working fine when the PC is connected directly to the switch but somehow, redirection is not even attempted when the PC is connected to a phone.The portal page is perfectly reachable when I copy and paste it to my browser, even when connected to the phone.

0 Helpful
5 Replies 5

Cristian Matei
VIP Alumni
VIP Alumni

‎03-08-2020 10:43 AM

Hi,

  

    Post your switch configuration for AAA, RADIUS and port configuration. What phone do you have? Is authentication/authorization successful for both phone and PC?

 

Regards,

Cristian Matei.

0 Helpful

jay3
Level 1
Level 1
In response to Cristian Matei

‎03-09-2020 12:16 AM - edited ‎03-09-2020 12:18 AM

Hi Cristian,

 

Thank you for your response.I tried this with a Cisco IP Phone 7821 & 8945 but still get the same result, authentication and authorization are successful for both the pc and the phone but no redirection.Please find the information you requested attached.

Preview file
5 KB
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to jay3

‎03-14-2020 09:23 AM

Hi,

 

   Per the posted config, it looks like you don't actually enable/enforce authentication on the port. You're missing the following commands at the port-level:

 

authentication port-control auto

dot1x pae authenticator

mab

 

What is the output of command "show access-session interface GigabitEthernet1/0/4 detail" or "show authentication-session interface GigabitEthernet1/0/4"?

 

Use this guide to validate your implementation: https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

Regards,

Cristian Matei.

jay3
Level 1
Level 1
In response to Cristian Matei

‎03-14-2020 10:47 AM

Hi Cristian, Thanks again for your response. You seem to have mistakenly missed those three commands.If you check again, you can see that I in fact do have those commands at port level.I have gone through the prescriptive deployment a couple of times but still can't identify the challenge.The output for "show authentication sessions interface g1/0/4 details" is exactly the same with and without the phone,  but surprisingly, redirection fails to work behind the phone.

Regards..

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to jay3

‎03-14-2020 11:22 AM

Hi,

 

   Apologies, i'm sure i looked all the way in the attachment, maybe it was not loaded completely. Anyways, it doesn't matter. Can you try to reconfigure your redirect ACL, so that only HTTP/HTTPS traffic is being redirected to the switch? Depending on how chatty the host is, the switches CPU may be flooded with useless data. So remove "permit ip any any", and add "permit tcp any any eq 80, permit tcp any any eq 443".

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents