01-31-2019 05:37 AM - edited 03-11-2019 01:54 AM
Hello,
I enabled Anamolous Detection on ISE 2.2 patch 10. Also I create an redirection url to explain the stuation to the client and I used in a exceptions rule. However, when the user is detected by the anomalous detection, the redirection does not work.
Redirect ACL on WLC is as follows;
Exeptions Rule is as follows;
Redirect Authz profile is as follows;
Portal Settings is as follows;
(Options other than the Portal Settings are unchecked)
Is there any miss configuration here?
Volkan Turan
01-31-2019 01:50 PM
Looks alright to me so far. Very similar to a Guest Portal redirection ACL on the Cisco WLC.
It might be that the client is unable to resolve the FQDN of the ISE node. Is the client able to ping the PSN?
Do a nslookup on the client to see what happens when you try to resolve the FQDN (https://ip:port) - that means you're not using a static FQDN on the portal. Hence, ISE substitutes the FQDN of the PSN that sent the redirect. e.g. https://ise01.net.local:8443 ) - if client cannot resolve ise01.net.local then it won't establish a TCP connection to ISE portal.
02-01-2019 07:54 AM
Hi Arne,
When I check live logs on ISE, Anomalous Detected client seems to have received an ip address. but when I check on client side client seems to had not received an ip. And also I want to know why this client detected as Anomalous. For this reason I checked the profiling logs. But I saw only "Attribute:AnomalousBehaviour value:true". Is there any other logs to find an explanation?
Regards,
Volkan Turan
02-16-2019 02:32 PM
Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2 > Background Information has the info how it working currently.
If you want to check ISE debug logs, then enable DEBUG on profiler and check profiler.log files.
01-31-2019 01:54 PM
Do you have policy nodes OR the Primary/Sec Admin Nodes are also running Policy Services?. Usually the portals configured on the PRIMARY Admin Node are replicated into the PSN's which are responsible for the Authc/Authz Process (including redirect to HotSpot Portal Page).
02-01-2019 07:58 AM
02-01-2019 08:23 AM - edited 02-01-2019 08:25 AM
Do you have the FQDN entry for each PSN in your DNS Server. I would say yes because otherwise the deployment would not have been created but confirm that. I mean:
ise01.domain.com (full FQDN) for Primary ADM/MNT/PSN
ise02.domain.com (full FQDN) for Secondary ADM/MNT/PSN
02-01-2019 09:45 AM
We have dns entries. But I think we need to solve client ip issue first.
02-16-2019 02:33 PM
I agree with you to resolve DHCP IP assignment is important. You may, however, temporarily use a static IP to check other connectivity issues.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide