Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3023
Views
5
Helpful
1
Replies

Wired CWA with ISE 2.x and 2960X switch 15.2

Go to solution
kidvelvet
Level 4
Level 4

‎02-07-2017 11:47 PM

Hello,

I have setup for a customer a wireless Centralized Web Authentication portal that uses AD authentication in order to access the proper network resources (customer does not want to use a dot1x client, so we are going the web auth route). This has worked as expected, and now we are just putting some finishing touches on the configuration to get the workflow just right.

However, when I try the same thing on the wired side with a 2960X using 15.2.2 code, I seem to get all the MAB authentication to work properly, the switch gets the correct guest redirect URL and ACL, and I am able to connect to the https://guest.example.net:8443/portal<redacted> site when entered manually, but going to 80 or 443 will not cause a redirection.

Here is the relevant switch configuration:

service timestamps log datetime msec

service password-encryption

!

hostname <switch>

!

boot-start-marker

boot-end-marker

!

logging buffered 65500

enable secret <redacted>

!

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authentication dot1x default group radius

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa accounting system default start-stop group radius

!

aaa server radius dynamic-author

client 192.168.25.7 server-key <redacted>

!

aaa session-id common

clock timezone PST -8 0

clock summer-time PDT recurring

switch 1 provision ws-c2960x-48lps-l

device-sensor accounting

device-sensor notify all-changes

!

ip dhcp snooping

ip domain-name int.example.com

ip name-server 192.168.24.5

!

authentication mac-move permit

epm logging

!

dot1x system-auth-control

dot1x critical eapol

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!        

lldp run

!

interface GigabitEthernet1/0/19

description Open Office Port

switchport access vlan 25

switchport mode access

ip access-group ACL_DEFAULT in

duplex full

authentication host-mode multi-auth

authentication order mab

authentication priority mab

authentication port-control auto

authentication timer reauthenticate server

authentication violation restrict

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

spanning-tree portfast

!

interface Vlan1

no ip address

no ip route-cache

!

interface Vlan24

ip address 192.168.24.2 255.255.255.0

no ip redirects

no ip proxy-arp

no ip route-cache

!

ip default-gateway 192.168.24.1

ip http server

ip http secure-server

!

ip ssh version 2

!

ip access-list extended ACL_DEFAULT

permit udp any eq bootpc any eq bootps

permit udp any any eq domain

permit icmp any any

permit udp any any eq tftp

permit ip any host 192.168.25.7

deny   ip any any

ip access-list extended GUESTREDIRECT

deny   udp any eq bootpc any eq bootps

deny   udp any any eq domain

deny   ip any host 192.168.25.7

permit tcp any any eq www

permit tcp any any eq 443

deny   ip any any

ip radius source-interface Vlan25

logging origin-id ip

logging source-interface Vlan24

logging host 192.168.25.7 transport udp port 20514

access-list 10 permit 192.168.25.0 0.0.0.255

access-list 10 deny   any log

!

snmp-server community <redacted> RO 10

snmp-server trap-source Vlan24

snmp-server enable traps snmp linkdown linkup

snmp-server enable traps mac-notification change move threshold

snmp-server host 192.168.25.7 version 2c way2l84U  mac-notification snmp

tacacs server TACACS

address ipv4 192.168.25.7

key <redacted>

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

!        

radius server RADIUS

address ipv4 192.168.25.7 auth-port 1812 acct-port 1813

key <redacted>

!

!

!

line con 0

line vty 0 4

transport input ssh

line vty 5 15

transport input ssh

!

ntp server pool.ntp.org

mac address-table notification change

mac address-table notification mac-move

end

<switch>#


And here are the logs with debugging turned on for MAB, EPM, and RADIUS, along with the sh auth sess int g1/0/19 det


Feb  7 23:07:59.303: RADIUS/ENCODE(00000000):Orig. component type = Invalid

Feb  7 23:07:59.303: RADIUS(00000000): Config NAS IP: 0.0.0.0

Feb  7 23:07:59.303: RADIUS(00000000): Config NAS IPv6: ::

Feb  7 23:07:59.303: RADIUS(00000000): sending

Feb  7 23:07:59.303: mab-sm: Received event 'MAB_DELETE' on handle 0xEE000010

Feb  7 23:07:59.303: mab-ev: Received ABORT event from Auth Mgr for 0xEE000010 (d8d3.8530.ad7c)

Feb  7 23:07:59.303: mab-ev: Deleted credentials profile for 0xEE000010 (dot1x_mac_auth_d8d3.8530.ad7c)

Feb  7 23:07:59.303: mab-ev: Freed MAB client context

Feb  7 23:07:59.307: RADIUS/ENCODE: Best Local IP-Address 192.168.24.2 for Radius-Server 192.168.25.7

Feb  7 23:07:59.307: RADIUS(00000000): Send Accounting-Request to 192.168.25.7:1813 onvrf(0) id 1646/54, len 308

Feb  7 23:07:59.307: RADIUS:  authenticator 92 2C FF 4A E6 FB 25 3E - 07 E3 FF 66 C3 A6 BF 08

Feb  7 23:07:59.310: RADIUS:  Framed-IP-Address   [8]   6   192.168.25.175           

Feb  7 23:07:59.310: RADIUS:  User-Name           [1]   19  "D8-D3-85-30-AD-7C"

Feb  7 23:07:59.310: RADIUS:  Vendor, Cisco       [26]  49 

Feb  7 23:07:59.310: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A818020000002C01F1CE73"

Feb  7 23:07:59.310: RADIUS:  Vendor, Cisco       [26]  18 

Feb  7 23:07:59.310: RADIUS:   Cisco AVpair       [1]   12  "method=mab"

Feb  7 23:07:59.310: RADIUS:  Called-Station-Id   [30]  19  "00-41-D2-ED-43-13"

Feb  7 23:07:59.310: RADIUS:  Calling-Station-Id  [31]  19  "D8-D3-85-30-AD-7C"

Feb  7 23:07:59.310: RADIUS:  NAS-IP-Address      [4]   6   192.168.24.2             

Feb  7 23:07:59.310: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet1/0/19"

Feb  7 23:07:59.310: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]

Feb  7 23:07:59.310: RADIUS:  NAS-Port            [5]   6   50119                    

Feb  7 23:07:59.310: RADIUS:  Acct-Session-Id     [44]  10  "00000020"

Feb  7 23:07:59.310: RADIUS:  Acct-Terminate-Cause[49]  6   lost-carrier              [2]

Feb  7 23:07:59.310: RADIUS:  Class               [25]  53 

Feb  7 23:07:59.310: RADIUS:   43 41 43 53 3A 43 30 41 38 31 38 30 32 30 30 30  [CACS:C0A81802000]

Feb  7 23:07:59.310: RADIUS:   30 30 30 32 43 30 31 46 31 43 45 37 33 3A 69 73  [0002C01F1CE73:is]

Feb  7 23:07:59.310: RADIUS:   65 30 31 2F 32 37 35 35 35 37 34 33 34 2F 31 32  [e01/275557434/12]

Feb  7 23:07:59.310: RADIUS:   36 37 36               [ 676]

Feb  7 23:07:59.310: RADIUS:  Acct-Status-Type    [40]  6   Stop                      [2]

Feb  7 23:07:59.310: RADIUS:  Event-Timestamp     [55]  6   1486508879               

Feb  7 23:07:59.310: RADIUS:  Acct-Session-Time   [46]  6   368                      

Feb  7 23:07:59.310: RADIUS:  Acct-Input-Octets   [42]  6   253119112                

Feb  7 23:07:59.310: RADIUS:  Acct-Output-Octets  [43]  6   1984353927               

Feb  7 23:07:59.310: RADIUS:  Acct-Input-Packets  [47]  6   743075                   

Feb  7 23:07:59.310: RADIUS:  Acct-Output-Packets [48]  6   1570299                  

Feb  7 23:07:59.310: RADIUS:  Acct-Delay-Time     [41]  6   0                        

Feb  7 23:07:59.310: RADIUS(00000000): Sending a IPv4 Radius Packet

Feb  7 23:07:59.314: RADIUS(00000000): Started 5 sec timeout

Feb  7 23:07:59.321: RADIUS: Received from id 1646/54 192.168.25.7:1813, Accounting-response, len 20

Feb  7 23:07:59.321: RADIUS:  authenticator 1D E3 B6 9C BA 36 73 65 - CD 3D 43 10 E7 CF A3 A3

Feb  7 23:08:01.278: %LINK-5-CHANGED: Interface GigabitEthernet1/0/19, changed state to administratively down

Feb  7 23:08:02.281: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/19, changed state to down

Feb  7 23:08:06.395: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/19, changed state to down

Feb  7 23:08:08.202: %SYS-5-CONFIG_I: Configured from console by <user> on vty0 (192.168.25.179)

Feb  7 23:08:09.146: mab-ev: [d8d3.8530.ad7c, Gi1/0/19] Received MAB context create from AuthMgr

Feb  7 23:08:09.146: mab-ev: MAB authorizing d8d3.8530.ad7c

Feb  7 23:08:09.146: mab-ev: Created MAB client context 0xAF000011

Feb  7 23:08:09.146:     mab : initial state mab_initialize has enter

Feb  7 23:08:09.146: mab-ev: [d8d3.8530.ad7c, Gi1/0/19] Sending create new context event to EAP from MAB for 0xAF000011 (d8d3.8530.ad7c)

Feb  7 23:08:09.146: mab-ev: [d8d3.8530.ad7c, Gi1/0/19] MAB authentication started for 0x07FE3D28 (d8d3.8530.ad7c)

Feb  7 23:08:09.146: mab-ev: [d8d3.8530.ad7c, Gi1/0/19] Invalid EVT 9 from EAP

Feb  7 23:08:09.146: mab-sm: [d8d3.8530.ad7c, Gi1/0/19] Received event 'MAB_CONTINUE' on handle 0xAF000011

Feb  7 23:08:09.150:     mab : during state mab_initialize, got event 1(mabContinue)

Feb  7 23:08:09.150: @@@ mab : mab_initialize -> mab_authorizing

Feb  7 23:08:09.150: mab-ev: [d8d3.8530.ad7c] formatted mac = d8d38530ad7c

Feb  7 23:08:09.150: mab-ev: [d8d3.8530.ad7c] created mab pseudo dot1x profile dot1x_mac_auth_d8d3.8530.ad7c

Feb  7 23:08:09.150: mab-ev: [d8d3.8530.ad7c, Gi1/0/19] Starting MAC-AUTH-BYPASS for 0xAF000011 (d8d3.8530.ad7c)

Feb  7 23:08:09.150: mab-ev: [d8d3.8530.ad7c, Gi1/0/19] Invalid EVT 9 from EAP

Feb  7 23:08:09.150: RADIUS/ENCODE(00000000):Orig. component type = Invalid

Feb  7 23:08:09.150: RADIUS(00000000): Config NAS IP: 0.0.0.0

Feb  7 23:08:09.150: RADIUS(00000000): Config NAS IPv6: ::

Feb  7 23:08:09.150: RADIUS(00000000): sending

Feb  7 23:08:09.150: RADIUS/ENCODE: Best Local IP-Address 192.168.24.2 for Radius-Server 192.168.25.7

Feb  7 23:08:09.150: RADIUS(00000000): Send Access-Request to 192.168.25.7:1812 onvrf(0) id 1645/18, len 267

Feb  7 23:08:09.153: RADIUS:  authenticator 25 3B 90 7C 69 B9 43 8D - 03 D8 76 55 31 62 55 12

Feb  7 23:08:09.153: RADIUS:  User-Name           [1]   14  "d8d38530ad7c"

Feb  7 23:08:09.153: RADIUS:  User-Password       [2]   18  *

Feb  7 23:08:09.153: RADIUS:  Service-Type        [6]   6   Call Check                [10]

Feb  7 23:08:09.153: RADIUS:  Vendor, Cisco       [26]  31 

Feb  7 23:08:09.153: RADIUS:   Cisco AVpair       [1]   25  "service-type=Call Check"

Feb  7 23:08:09.153: RADIUS:  Framed-MTU          [12]  6   1500                     

Feb  7 23:08:09.153: RADIUS:  Called-Station-Id   [30]  19  "00-41-D2-ED-43-13"

Feb  7 23:08:09.153: RADIUS:  Calling-Station-Id  [31]  19  "D8-D3-85-30-AD-7C"

Feb  7 23:08:09.153: RADIUS:  Message-Authenticato[80]  18 

Feb  7 23:08:09.153: RADIUS:   BB 19 3E D4 E1 28 1C 11 6B C3 CB E4 98 8E D9 9E               [ >(k]

Feb  7 23:08:09.153: RADIUS:  EAP-Key-Name        [102] 2   *

Feb  7 23:08:09.153: RADIUS:  Vendor, Cisco       [26]  49 

Feb  7 23:08:09.153: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A818020000002D01F799E6"

Feb  7 23:08:09.153: RADIUS:  Vendor, Cisco       [26]  18 

Feb  7 23:08:09.153: RADIUS:   Cisco AVpair       [1]   12  "method=mab"

Feb  7 23:08:09.153: RADIUS:  Framed-IP-Address   [8]   6   192.168.25.175           

Feb  7 23:08:09.153: RADIUS:  NAS-IP-Address      [4]   6   192.168.24.2             

Feb  7 23:08:09.153: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet1/0/19"

Feb  7 23:08:09.153: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]

Feb  7 23:08:09.153: RADIUS:  NAS-Port            [5]   6   50119                    

Feb  7 23:08:09.153: RADIUS(00000000): Sending a IPv4 Radius Packet

Feb  7 23:08:09.153: RADIUS(00000000): Started 5 sec timeout

Feb  7 23:08:09.185: RADIUS: Received from id 1645/18 192.168.25.7:1812, Access-Accept, len 427

Feb  7 23:08:09.185: RADIUS:  authenticator 3F FA C4 0C EC B2 98 E3 - C6 07 B5 56 9C F1 EB 5D

Feb  7 23:08:09.185: RADIUS:  User-Name           [1]   19  "D8-D3-85-30-AD-7C"

Feb  7 23:08:09.185: RADIUS:  State               [24]  40 

Feb  7 23:08:09.185: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 43 30  [ReauthSession:C0]

Feb  7 23:08:09.188: RADIUS:   41 38 31 38 30 32 30 30 30 30 30 30 32 44 30 31  [A818020000002D01]

Feb  7 23:08:09.188: RADIUS:   46 37 39 39 45 36            [ F799E6]

Feb  7 23:08:09.188: RADIUS:  Class               [25]  53 

Feb  7 23:08:09.188: RADIUS:   43 41 43 53 3A 43 30 41 38 31 38 30 32 30 30 30  [CACS:C0A81802000]

Feb  7 23:08:09.188: RADIUS:   30 30 30 32 44 30 31 46 37 39 39 45 36 3A 69 73  [0002D01F799E6:is]

Feb  7 23:08:09.188: RADIUS:   65 30 31 2F 32 37 35 35 35 37 34 33 34 2F 31 32  [e01/275557434/12]

Feb  7 23:08:09.188: RADIUS:   36 38 37               [ 687]

Feb  7 23:08:09.188: RADIUS:  Message-Authenticato[80]  18 

Feb  7 23:08:09.188: RADIUS:   09 28 1D 2D F3 B0 F0 A3 EC 35 B4 71 EF CF 30 59            [ (-5q0Y]

Feb  7 23:08:09.188: RADIUS:  Vendor, Cisco       [26]  38 

Feb  7 23:08:09.188: RADIUS:   Cisco AVpair       [1]   32  "url-redirect-acl=GUESTREDIRECT"

Feb  7 23:08:09.188: RADIUS:  Vendor, Cisco       [26]  197

Feb  7 23:08:09.188: RADIUS:   Cisco AVpair       [1]   191 "url-redirect=https://guest.example.com:8443/portal/gateway?sessionId=C0A818020000002D01F799E6&portal=1c252db0-eaa9-11e6-822a-005056a009c4&action=cwa&token=1ec40fb7c5b511904c0dd95011d0c4d8"

Feb  7 23:08:09.188: RADIUS:  Vendor, Cisco       [26]  42 

Feb  7 23:08:09.188: RADIUS:   Cisco AVpair       [1]   36  "profile-name=Microsoft-Workstation"

Feb  7 23:08:09.188: RADIUS(00000000): Received from id 1645/18

Feb  7 23:08:09.188: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE

Feb  7 23:08:09.191: mab-ev: [d8d3.8530.ad7c, Gi1/0/19] MAB received an Access-Accept for 0xAF000011 (d8d3.8530.ad7c)

Feb  7 23:08:09.191: mab-sm: [d8d3.8530.ad7c, Gi1/0/19] Received event 'MAB_RESULT' on handle 0xAF000011

Feb  7 23:08:09.191:     mab : during state mab_authorizing, got event 5(mabResult)

Feb  7 23:08:09.191: @@@ mab : mab_authorizing -> mab_terminate

Feb  7 23:08:09.191: mab-ev: [d8d3.8530.ad7c, Gi1/0/19] Deleted credentials profile for 0xAF000011 (dot1x_mac_auth_d8d3.8530.ad7c)

Feb  7 23:08:09.195: %EPM-6-POLICY_REQ: IP 192.168.25.175| MAC d8d3.8530.ad7c| AuditSessionID C0A818020000002D01F799E6| EVENT APPLY

Feb  7 23:08:09.195: %EPM-6-POLICY_APP_SUCCESS: Policy Application succeded for Client [192.168.25.175] MAC [d8d3.8530.ad7c] AuditSession ID [C0A818020000002D01F799E6] for POLICY_TYPE [URL Redirect] POLICY_NAME [https://guest.example.com:8443/portal/gateway?sessionId=C0A818020000002D01F799E6&portal=1c252db0-eaa9-11e6-822a-005056a009c4&action=cwa&token=1ec40fb7c5b511904c0dd95011d0c4d8]

Feb  7 23:08:10.226: RADIUS/ENCODE(00000000):Orig. component type = Invalid

Feb  7 23:08:10.226: RADIUS(00000000): Config NAS IP: 0.0.0.0

Feb  7 23:08:10.226: RADIUS(00000000): Config NAS IPv6: ::

Feb  7 23:08:10.226: RADIUS(00000000): sending

Feb  7 23:08:10.226: RADIUS/ENCODE: Best Local IP-Address 192.168.24.2 for Radius-Server 192.168.25.7

Feb  7 23:08:10.226: RADIUS(00000000): Send Accounting-Request to 192.168.25.7:1813 onvrf(0) id 1646/55, len 272

Feb  7 23:08:10.226: RADIUS:  authenticator D8 BF 66 8B B0 00 96 9D - 1C 46 24 B7 45 05 48 FD

Feb  7 23:08:10.226: RADIUS:  Framed-IP-Address   [8]   6   192.168.25.175           

Feb  7 23:08:10.226: RADIUS:  User-Name           [1]   19  "D8-D3-85-30-AD-7C"

Feb  7 23:08:10.230: RADIUS:  Vendor, Cisco       [26]  49 

Feb  7 23:08:10.230: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A818020000002D01F799E6"

Feb  7 23:08:10.230: RADIUS:  Vendor, Cisco       [26]  18 

Feb  7 23:08:10.230: RADIUS:   Cisco AVpair       [1]   12  "method=mab"

Feb  7 23:08:10.230: RADIUS:  Called-Station-Id   [30]  19  "00-41-D2-ED-43-13"

Feb  7 23:08:10.230: RADIUS:  Calling-Station-Id  [31]  19  "D8-D3-85-30-AD-7C"

Feb  7 23:08:10.230: RADIUS:  NAS-IP-Address      [4]   6   192.168.24.2             

Feb  7 23:08:10.230: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet1/0/19"

Feb  7 23:08:10.230: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]

Feb  7 23:08:10.230: RADIUS:  NAS-Port            [5]   6   50119                    

Feb  7 23:08:10.230: RADIUS:  Acct-Session-Id     [44]  10  "00000021"

Feb  7 23:08:10.230: RADIUS:  Class               [25]  53 

Feb  7 23:08:10.230: RADIUS:   43 41 43 53 3A 43 30 41 38 31 38 30 32 30 30 30  [CACS:C0A81802000]

Feb  7 23:08:10.230: RADIUS:   30 30 30 32 44 30 31 46 37 39 39 45 36 3A 69 73  [0002D01F799E6:is]

Feb  7 23:08:10.230: RADIUS:   65 30 31 2F 32 37 35 35 35 37 34 33 34 2F 31 32  [e01/275557434/12]

Feb  7 23:08:10.230: RADIUS:   36 38 37               [ 687]

Feb  7 23:08:10.230: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]

Feb  7 23:08:10.230: RADIUS:  Event-Timestamp     [55]  6   1486508890               

Feb  7 23:08:10.230: RADIUS:  Acct-Delay-Time     [41]  6   0                        

Feb  7 23:08:10.230: RADIUS(00000000): Sending a IPv4 Radius Packet

Feb  7 23:08:10.230: RADIUS(00000000): Started 5 sec timeout

Feb  7 23:08:10.240: RADIUS: Received from id 1646/55 192.168.25.7:1813, Accounting-response, len 20

Feb  7 23:08:10.240: RADIUS:  authenticator 40 91 18 5B FF 80 AE 81 - 64 DA 46 23 CD 04 CE 56

<switch>#sh auth sess int g1/0/19 det

            Interface:  GigabitEthernet1/0/19

          MAC Address:  d8d3.8530.ad7c

         IPv6 Address:  Unknown

         IPv4 Address:  192.168.25.175

            User-Name:  D8-D3-85-30-AD-7C

               Status:  Authorized

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  both

      Session timeout:  N/A

      Restart timeout:  N/A

Periodic Acct timeout:  N/A

       Session Uptime:  201s

    Common Session ID:  C0A818020000002D01F799E6

      Acct Session ID:  0x00000021

               Handle:  0xD3000013

       Current Policy:  POLICY_Gi1/0/19

Local Policies:

        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:

         URL Redirect:  https://guest.example.com:8443/portal/gateway?sessionId=C0A818020000002D01F799E6&portal=1c252db0-eaa9-11e6-822a-005056a009c4&action=cwa&token=1ec40fb7c5b511904c0dd95011d0c4d8

     URL Redirect ACL:  GUESTREDIRECT

Method status list:

       Method           State

       mab              Authc Success

<switch>#


Any ideas are appreciated. Just not sure why the redirection is not occurring on the computer.



-Steve


1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎02-08-2017 07:12 AM

Are you sending dACL as well? If not then I would send 'ip permit any any' dACL along. Looking at your ACL-DEFAULT, you have 'deny ip any any' which is denying any web traffic destined for IP other than ISE. sending the 'ip permit any any' should address that.

Hosuk

View solution in original post

1 Reply 1

Go to solution
howon
Cisco Employee
Cisco Employee

‎02-08-2017 07:12 AM

Are you sending dACL as well? If not then I would send 'ip permit any any' dACL along. Looking at your ACL-DEFAULT, you have 'deny ip any any' which is denying any web traffic destined for IP other than ISE. sending the 'ip permit any any' should address that.

Hosuk

Customers Also Viewed These Support Documents