Redirection Based Posture
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-13-2020 11:03 AM - edited 06-13-2020 11:21 AM
Hi, I am seeing a strange behavior of Anyconnect Posture Module. I am trying to do redirection based Posture scan for my clients and it does not work. For some strange reasons clients says enroll.cisco.com timeout from DART logs. I tested that and I can successfully resolve enroll.cisco.com from the client and access posture portal manually from the client browser. But the Posture modules writes "No Policy Server Detected".
It runs with Anyconnect 4.8 and ISE 2.6
I activated both ip http and ip http secure on the switch.
My Redirect ACL on SW:
deny udp any bootpc any eq bootps
deny udp any any domain
deny ip any host PSN1
deny ip any host PSN2
permit tcp any any eq 80
(I do not see any matches)
From DART bundle:
2020/06/11 14:00:29 [Information] aciseagent Function: SwiftHttpRunner::http_discovery_callback Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 385 Level: info Time out for Redirection target 10.10.10.1.
2020/06/11 14:00:29 [Information] aciseagent Function: SwiftHttpRunner::http_discovery_callback Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 385 Level: info Time out for Redirection target ::.
2020/06/11 14:00:29 [Information] aciseagent Function: SwiftHttpRunner::http_discovery_callback Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 385 Level: info Time out for Redirection target enroll.cisco.com.
2020/06/11 14:00:29 [Warning] aciseagent Function: ConfigData::loadXMLCfgFile Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libnaccommon\configdata.cpp Line: 46 Level: warn ISEPostureCFG.xml not found, using defaults.
2020/06/11 14:00:29 [Warning] aciseagent Function: SwiftHttpRunner::addPreviouslyConnectedHeadendsToTargetList Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 750 Level: warn No previously connected headends found.
2020/06/11 14:00:29 [Information] aciseagent Function: SwiftHttpRunner::collectMntTargets Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 1227 Level: debug Probing MNT stage targets (#1): Ng-Discovery target enroll.cisco.com with path /auth/ng-discovery, .
2020/06/11 14:00:29 [Information] aciseagent Function: SwiftHttpRunner::probeNextMntTarget Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 1456 Level: debug Probing Mnt stage Ng-Discovery target enroll.cisco.com with path /auth/ng-discovery.
- Labels:
-
Identity Services Engine (ISE)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-13-2020 01:23 PM
Hi @ISEduo ,
Since redirection is not happening on the switch, let's check a couple of things:
- Do you have Dynamic-Author configured on the switch?
- Are you seeing the end-user's IP address in the output of 'show auth session inter Gi x/y detail' ?
- Are you seeing any packets from the end-user's IP address (take packet captures on the PSN)?
If you are able to resolve enroll.cisco.com, that's great. The way it will be used is that when the client sends a HTTP-GET request to enroll.cisco.com, it will be redirected by the switch, to the ISE IP.
Please 'RATE' and 'MARK ACCEPTED', if applicable.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-13-2020 01:50 PM
Hi Anurag,
See my answers below.
- Do you have Dynamic-Author configured on the switch? Yes
- Are you seeing the end-user's IP address in the output of 'show auth session inter Gi x/y detail' ? Yes, I do. I also see the session ID and URL for the portal.
- Are you seeing any packets from the end-user's IP address (take packet captures on the PSN)? I dident test this.
Thanks !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-13-2020 02:33 PM
Make sure the redirect ACL name is exactly the same as the one on the switch. Any typo, upper/lower-case mismatch can also be a problem.
Please 'RATE' and 'MARK ACCEPTED', if applicable.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-13-2020 03:20 PM
OK. Seems to be correct on both ends.
Are these two lines mandatory for the switch?
ip http active-session-modules none
ip http secure-active-session-modules none
