cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
337
Views
0
Helpful
4
Replies

WS-C3560CX - And Posture Redirect

ryanbess
Level 1
Level 1

I have a C3560CX that is part of a home lab.  On ports where authentication OPEN is not enabled, posture redirection starts to get redirected (i see it in the chrome browser) but it actually never makes it to the ISE PSN.  Enable Authentication OPEN, works like a charm (port 2 works just fine, port 3 does not....same workstation connected to it)...hoping someone has seen this issue and has a light bulb moment that will allow me to disable authentication OPEN and get the redirect to work. 

Switch Config below

 


version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname physical
!
boot-start-marker
boot-end-marker
!
enable XXX XXXX XXXXXXXX
!
username XXX privilege 15 XXXXX 0 XXXXXX
aaa new-model
!
!
aaa group server radius ise-group
server name ise-102
server name ise-104
ip radius source-interface Vlan1
!
aaa group server radius home-ise-group
server name home-ise
ip radius source-interface Vlan1
!
aaa authentication login console local
aaa authentication login vty local
aaa authentication enable default enable
aaa authentication dot1x default group ise-group
aaa authorization exec default local
aaa authorization exec vty local
aaa authorization network default group ise-group
aaa authorization auth-proxy default group ise-group
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group ise-group
aaa accounting dot1x default start-stop group ise-group
!
!
!
!
!
aaa server radius dynamic-author
client 172.16.255.104 server-key Iseradius
client 172.16.255.102 server-key Iseradius
client 172.16.255.110 server-key Iseradius
!
aaa session-id common
system mtu routing 1500
!
!
!
!
!
!
no ip domain-lookup
ip domain-name sub.lab.com
ip name-server 172.255.255.250
ip device tracking probe auto-source
!
!
!
!
!
!
!
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
lldp run
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
description Win11-1
switchport mode access
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
description Win11-2
switchport mode access
authentication event fail action next-method
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/3
switchport mode access
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/4
switchport mode access
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface Vlan1
ip address 172.16.253.3 255.255.255.0
!
ip default-gateway 172.16.253.1
ip forward-protocol nd
!
ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
ip route 0.0.0.0 0.0.0.0 172.16.253.1
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list extended POSTURE-REDIRECT-ACL
deny udp any any eq bootps
deny udp any any eq bootpc
deny udp any any eq domain
deny tcp any host 172.16.255.102
deny tcp any host 172.16.255.104
permit tcp any any eq www
permit ip any any

!

ip radius source-interface Vlan1
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria tries 3
radius-server deadtime 3
!
radius server ise-104
address ipv4 172.16.255.104 auth-port 1812 acct-port 1813
key Iseradius
!
radius server ise-102
address ipv4 172.16.255.102 auth-port 1812 acct-port 1813
key Iseradius
!
radius server ise-group
!
radius server home-ise
address ipv4 172.16.255.110 auth-port 1812 acct-port 1813
key Iseradius
!
!
line con 0
logging synchronous
line vty 0 4
exec-timeout 240 0
transport input ssh
line vty 5 15
!
!
end

1 Accepted Solution

Accepted Solutions

ryanbess
Level 1
Level 1

OK so hit up one of my network guru's at work....he remembered something we did a long long ago when we first started down this ISE rabbit hole.  Turns out for this model of switch you need to add 

1. The ACL on box for the redirect

2. A DACL of permit ip any any

Once i added the permit ip any any to the auth profile, works like a charm.  

View solution in original post

4 Replies 4

ryanbess
Level 1
Level 1

some other info is i can see via wireshark that the DNS and DHCP traffic is making it to the same network the ISE nodes are on.  Something on the switch isn't letting the redirected traffic go to the PSN's with authentication open disabled.  i'm also hard wired into the switch.  

ryanbess
Level 1
Level 1

Since i have the AnyConnect software / modules installed, i did away with the redirect ACL and that allows posture to work with authentication opened disabled.  I'm leaning to something about the switch config that doesn't' like the posture redirect.  

ryanbess
Level 1
Level 1

With the redirect ACL back in place i added a line to deny tcp 445 from being redirected.

deny udp any any eq bootps
deny udp any any eq bootpc
deny udp any any eq domain
deny tcp any host 172.16.255.102
deny tcp any host 172.16.255.104

deny tcp any any eq 445 
permit tcp any any eq www
permit ip any any

 

Even with the line above, I'm still unable to get TCP 445 traffic to make it to any TCP 445 port....

ryanbess
Level 1
Level 1

OK so hit up one of my network guru's at work....he remembered something we did a long long ago when we first started down this ISE rabbit hole.  Turns out for this model of switch you need to add 

1. The ACL on box for the redirect

2. A DACL of permit ip any any

Once i added the permit ip any any to the auth profile, works like a charm.