This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
The URL redirection page in the client machine's browser does not correctly guide the end user to the appropriate URL. I am using ISE 1.1.4
any help ?
Solved! Go to Solution.
There are multiple causes for this issue.
• The two Cisco av-pairs that are configured on the authorization profile should
exactly match the example below. (Note: Do not replace the “IP” with the actual
Cisco ISE IP address.)
– url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
– url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is
also defined on the access switch)
• Ensure that the URL redirection portion of the ACL have been applied to the
session by entering the show epm session ip
switch. (Where the session IP is the IP address that is passed to the client
machine by the DHCP server.)
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp
• Ensure that the preposture assessment DACL that is enforced from the Cisco ISE
authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE
There are multiple causes for this issue.
• The two Cisco av-pairs that are configured on the authorization profile should
exactly match the example below. (Note: Do not replace the “IP” with the actual
Cisco ISE IP address.)
– url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
– url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is
also defined on the access switch)
• Ensure that the URL redirection portion of the ACL have been applied to the
session by entering the show epm session ip
switch. (Where the session IP is the IP address that is passed to the client
machine by the DHCP server.)
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp
• Ensure that the preposture assessment DACL that is enforced from the Cisco ISE
authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE
Well, as far as I remember, port 8906 is not used anymore and it has been replaced by 8909..