Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
875
Views
5
Helpful
4
Replies

Two redirection URLs are being pushed

Go to solution
dgaikwad
Level 5
Level 5

‎03-20-2020 07:19 AM

Setup is ISE 2.6.0.156
Switch 2960 Lanbase IOS 15.0(2)SE11
Windows 10
AnyConnect version 4.7.04056

While testing I saw that there are two different redirection URLs being pushed, I see the same thing in live logs and on the authentication session that is applied for the endpoint.Screenshot 2020-03-19 at 14.52.32.png
Is this something that is new or am I missing some configuration here.

The policy set at this time is pretty simple, posture status = unknown, redirect to CPP
With the ACL on switch as follows:

deny udp any any eq domain
deny udp any eq bootpc any eq bootps
deny udp any eq bootps any eq bootpc
deny tcp any host <ISE Server IP address> eq 8443                                         
deny tcp any host <ISE Server IP address> eq 8905
deny udp any host <ISE Server IP address> eq 8905
permit tcp any any eq www
permit tcp any any eq 443

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-20-2020 11:59 PM

Hi,

 

    I've seen this happening couple of times, it was always an ISE bug, for example, see attached. Apply the latest patch and if behaviour is still there, upgrade to a newer recommended release, like ISE 2.6.0 patch 5.


Regards,

Cristian Matei.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎03-20-2020 11:37 AM

I personally have not seen this behavior before and I have done countless ISE deployments.  I am curious if it is actually sending both URL's in the Radius Access-Accept or if it is just a cosmetic bug in the GUI.  Can you do a tcpdump on the PSN and take a look at the Radius packets?  But either way, this looks like a bug.  I would recommend opening a TAC case.

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-20-2020 11:59 PM

Hi,

 

    I've seen this happening couple of times, it was always an ISE bug, for example, see attached. Apply the latest patch and if behaviour is still there, upgrade to a newer recommended release, like ISE 2.6.0 patch 5.


Regards,

Cristian Matei.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎03-23-2020 01:24 PM

CSCvp77017 is duplicate to CSCvj05563, which addressed in ISE 2.6 Patch 1.

Go to solution
dgaikwad
Level 5
Level 5
In response to hslai

‎04-01-2020 10:50 AM

WIll have to work with the customer on this and post an update once its done.
Thanks for the pointer.

0 Helpful
Customers Also Viewed These Support Documents