redirect to CPP not coming to pop-up

s_SiD_s · ‎04-22-2025

ASAv -9.20-3-16
ISE 3.2.0.542 P7

Good day team!
Struggling for 5 days with redirect to CPP to install compliance module ends with nothing...
Tried 3-4 different configs from official manual and not official...
iseposture module are downloading and installing during first connection. folder ISEposture are coming up but empty. only 2 files - aciseagent.log and DGCacheRecords.xml
Main odd thing is that if I copy redirect url from ISE livelogs and paste it to client's web browser then the portal opens , and after clicking START all thing goes right way...
SSL certs are uploaded to ISE
also tried redirection-less .... same behaivor
ASA config

interface GigabitEthernet0/1
 description -=LAN=-
 nameif INSIDE
 security-level 100
 ip address 10.201.213.115 255.255.255.0 
!
aaa-server ISE protocol radius
 authorize-only
 interim-accounting-update periodic 1
 dynamic-authorization
aaa-server ISE (INSIDE) host 10.201.213.113
 timeout 60
 key SUPER-SERCET-KEY
!
webvpn
 enable OUTSIDE
 http-headers
  hsts-server
   enable
   max-age 31536000
   include-sub-domains
   no preload
  hsts-client
   enable
  x-content-type-options
  x-xss-protection
  content-security-policy
 anyconnect image disk0:/sslvpn/anyconnect-win-4.10.08029-webdeploy-k9.pkg 1 regex "Windows NT"
 anyconnect image disk0:/sslvpn/anyconnect-macos-4.10.08029-webdeploy-k9.pkg 2 regex "Intel Mac OS X"
 anyconnect image disk0:/sslvpn/anyconnect-linux64-4.10.08029-webdeploy-k9.pkg 3 regex "Linux"
 anyconnect profiles BELLVPNSSL disk0:/sslvpn/sslvpn.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
!
access-list VPN_USER_SPLIT standard permit 10.201.0.0 255.255.0.0 
!
access-list POSTURE_REDIRECT extended deny udp any any eq domain 
access-list POSTURE_REDIRECT extended deny ip any host 10.201.213.113 #ISE1
access-list POSTURE_REDIRECT extended deny ip any host 10.201.213.114 #ISE2
access-list POSTURE_REDIRECT extended permit icmp any any 
access-list POSTURE_REDIRECT extended permit ip any any
!
tunnel-group TG_BELLSSLVPN type remote-access
tunnel-group TG_BELLSSLVPN general-attributes
 address-pool SSLVPN_POOL
 authentication-server-group ISE
 accounting-server-group ISE
 default-group-policy GP_BELLSSLVPN
tunnel-group TG_BELLSSLVPN webvpn-attributes
 group-alias BELLSSLVPN enable
!
group-policy GP_BELLSSLVPN internal
group-policy GP_BELLSSLVPN attributes
 dns-server value 10.201.213.2 10.201.223.2
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_USER_SPLIT
 default-domain value bellcompany.com
 address-pools value SSLVPN_POOL
 webvpn
  anyconnect ssl rekey time none
  anyconnect ssl rekey method new-tunnel
  anyconnect dpd-interval client 30
  anyconnect dpd-interval gateway 30
  anyconnect modules value iseposture
  anyconnect profiles none

s_SiD_s · ‎04-22-2025

here detail output of connected client. we see that redirect applied...but not happening

s_SiD_s · ‎05-21-2025

i have gave up to portal redirect and made a posturing redirectionless with Call Home in posture config profile.
1st attempt ASA pushes 2 profiles, vpn and posture matched to POSTURE group-policy on ASA.

anyway, portal is still interesting.

Aref Alsouqi · ‎05-27-2025

Interesting, I don't see any issue with your config. When you say redirection does not happen, do you mean the session doesn't even try to apply redirection? or it does but it fails to open up the redirection page?

ahollifield · ‎05-27-2025

What happens if the client navigates to neverssl.com ?