Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6127
Views
0
Helpful
3
Replies

Unable to connect to Cisco and getting no policy server .detected

Go to solution
SravaniYerru9465
Level 1
Level 1

‎07-23-2019 01:59 AM

Hi W

I try to connect Cisco to wired  network is connected and system scan is not happening getting like no policy server detected and default network access is in effect

Can some one pls help me to resolve issue

1 person had this problem
Preview file
4772 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to SravaniYerru9465

‎07-24-2019 12:13 AM

Go with the following steps and see where it is failing


1. Check if you are hitting the correct policy where you would have mentioned posture status as unknown and the authorization profile would contain the redirect ACL and a downloadable ACL if using any.
2. Check if the redirect ACL,URL,dACL(if any) have been applied on the switch when the client authenticates using the command “show authentication status ise interface
3. If yes, please check the contents of the redirect ACL and the downloadable ACL. If it is a wired connection, on the switch, in the redirect ACL, deny traffic to the ISE and allow traffic to any host on port 80 and 443. Please find a reference here https://secure-web.cisco.com/1v2zCwnxXQMD0chGYvPNuzMZO298wf2Z-4Ki4D-eMALu8VsOlKg_1SiAvT-VBk42i2FVtgrTzIkMyG36aYli2vGDEfCe_7_5zVtxIpWVaZs-aN-jL6MET02gtf9OEpQdBhVGThO2vGQ5-qJ6HEcc0EoC2k_Rb-pJHAJK0EcnIkXgVOVi8Iuyo9kbSRiuC52zVtC1yFXrQwUNg-PtGiEUypohOVMx7...<>
4. If you have a dACL configured, please allow traffic to the dns,dhcp servers, discovery host configured, gateway of the client, ISE PSNs and enroll.cisco.com.
5. Make sure your DNS server can resolve ISE PSNs FQDNs and enroll.cisco.com.
6. Make sure you have “ip http server”, “ip http secure-server” and device tracking configured on the switch.
7. Redirection can be tested from the client machine by navigating to a browser on the end client say windows PC. Type http://secure-web.cisco.com/14cOEH-IW0DPLfB48LktX0i7qXAYnjuucduFEcQKjVP-1fS62naZK2em2X7bLo_ZtOv4h6Ov4MOs6u8jaZXGQkwdyKvk0nYW3Sz_ywSeLL-VysTl8H3ftmkSd1U9vV6IcwcB2rp4MeZtn6G0Wq5fiFHauN1z8WiAvFcVdVlA1akGhzWG4bfEM0gQEP9GcyojKBQZOk_7y7IBu8KIB1tkqr8Q0X94Hs... and see if it gets redirected to the client provisioning portal and the portal opens.
8. If the redirection URL is not seen then it would mean that the redirection itself did not work. In this case, please check if the SVI is configured on the access switched or somewhere in the upper layers. Please refer this https://secure-web.cisco.com/1id02xRLgi_4gMLcI8hETkBpjAlpPy-sgHHkFtwioB7J5BDwmdgcoEOTKRthId8GDKeTpaXD3WzZZ6mx5LOEkN0vX3YnmC3Utl-xE2LQ5JFOusoOzKlZWYMsRqnRjPPxzIa9PPX8KRDL-qPBTCIUH1wDeAYaPlntLRvESLrTW8-AtXdoEHUpS4HECRhGIZzWjSoeLjWekS5sQKXwVmK-haL1c0RBV... for more information on how redirection works in different scenarios.
9. If the redirection URL is seen in the browser but the page isn’t opening, please check if the DNS resolution to ISE FQDN in the URL works, please check if you can telnet to port 8443 from the end machine. Please take a packet capture from ISE (PSN seen in the redirect URL) and see if you see the client traffic reaching it. If the traffic is reaching ISE, please run the command “show ports | in 8443” to see if that specific PSN is listening on 8443.
10. If you are successfully redirected to the client provisioning portal and you can see the portal, then redirection is not the issue and something is wrong on the client side, in which case, you would need to collect a DART bundle.
11. Open up the DART bundle and check for logs with lines containing “http” “error” “fatal” “severe”.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
rosalesoe
Level 1
Level 1

‎07-23-2019 01:22 PM

have you tried deleting the ISECFG.XML from your AppData and reconnecting? I am assuming you are performing posture. 

 

0 Helpful

Go to solution
SravaniYerru9465
Level 1
Level 1
In response to rosalesoe

‎07-23-2019 11:35 PM

I am not able to see ISECFG.xml in Cisco appdata
0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to SravaniYerru9465

‎07-24-2019 12:13 AM

Go with the following steps and see where it is failing


1. Check if you are hitting the correct policy where you would have mentioned posture status as unknown and the authorization profile would contain the redirect ACL and a downloadable ACL if using any.
2. Check if the redirect ACL,URL,dACL(if any) have been applied on the switch when the client authenticates using the command “show authentication status ise interface
3. If yes, please check the contents of the redirect ACL and the downloadable ACL. If it is a wired connection, on the switch, in the redirect ACL, deny traffic to the ISE and allow traffic to any host on port 80 and 443. Please find a reference here https://secure-web.cisco.com/1v2zCwnxXQMD0chGYvPNuzMZO298wf2Z-4Ki4D-eMALu8VsOlKg_1SiAvT-VBk42i2FVtgrTzIkMyG36aYli2vGDEfCe_7_5zVtxIpWVaZs-aN-jL6MET02gtf9OEpQdBhVGThO2vGQ5-qJ6HEcc0EoC2k_Rb-pJHAJK0EcnIkXgVOVi8Iuyo9kbSRiuC52zVtC1yFXrQwUNg-PtGiEUypohOVMx7...<>
4. If you have a dACL configured, please allow traffic to the dns,dhcp servers, discovery host configured, gateway of the client, ISE PSNs and enroll.cisco.com.
5. Make sure your DNS server can resolve ISE PSNs FQDNs and enroll.cisco.com.
6. Make sure you have “ip http server”, “ip http secure-server” and device tracking configured on the switch.
7. Redirection can be tested from the client machine by navigating to a browser on the end client say windows PC. Type http://secure-web.cisco.com/14cOEH-IW0DPLfB48LktX0i7qXAYnjuucduFEcQKjVP-1fS62naZK2em2X7bLo_ZtOv4h6Ov4MOs6u8jaZXGQkwdyKvk0nYW3Sz_ywSeLL-VysTl8H3ftmkSd1U9vV6IcwcB2rp4MeZtn6G0Wq5fiFHauN1z8WiAvFcVdVlA1akGhzWG4bfEM0gQEP9GcyojKBQZOk_7y7IBu8KIB1tkqr8Q0X94Hs... and see if it gets redirected to the client provisioning portal and the portal opens.
8. If the redirection URL is not seen then it would mean that the redirection itself did not work. In this case, please check if the SVI is configured on the access switched or somewhere in the upper layers. Please refer this https://secure-web.cisco.com/1id02xRLgi_4gMLcI8hETkBpjAlpPy-sgHHkFtwioB7J5BDwmdgcoEOTKRthId8GDKeTpaXD3WzZZ6mx5LOEkN0vX3YnmC3Utl-xE2LQ5JFOusoOzKlZWYMsRqnRjPPxzIa9PPX8KRDL-qPBTCIUH1wDeAYaPlntLRvESLrTW8-AtXdoEHUpS4HECRhGIZzWjSoeLjWekS5sQKXwVmK-haL1c0RBV... for more information on how redirection works in different scenarios.
9. If the redirection URL is seen in the browser but the page isn’t opening, please check if the DNS resolution to ISE FQDN in the URL works, please check if you can telnet to port 8443 from the end machine. Please take a packet capture from ISE (PSN seen in the redirect URL) and see if you see the client traffic reaching it. If the traffic is reaching ISE, please run the command “show ports | in 8443” to see if that specific PSN is listening on 8443.
10. If you are successfully redirected to the client provisioning portal and you can see the portal, then redirection is not the issue and something is wrong on the client side, in which case, you would need to collect a DART bundle.
11. Open up the DART bundle and check for logs with lines containing “http” “error” “fatal” “severe”.
0 Helpful
Customers Also Viewed These Support Documents