06-29-2018 02:49 AM - edited 02-21-2020 10:59 AM
hello staff i need help about the ise 2.0.0.306, i use the patch 6 has basic license ISE-VM-K9, i am a user Windows 10 has client machines and the machines is not forwarded to the URL so automatica so manually.
I'll share a few things to consider
06-29-2018 04:41 AM
Hello,
I assume that you using a browser to redirect. The dACL will replace the pre-authentication ACL/PACL you have configured on the switchport. Traffic must be first allowed via dACL then it will hit redirect ACL.
Precisely: ACS ACL: xACSACLx-IP-PCs_ACL_REMEDIATION-5b35ebba
Filip
06-29-2018 07:12 AM
Hello Philip can you be more specific?, what they suggest is to place the ACL of the redirect on switch at the port where this machine customer?
06-29-2018 09:56 AM
Your dACL does not contain the same lines as your ACL for redirect.
Your packet TCP/80 or TCP/443 do not get to ACL for redirect, because dACL will deny it by rule No.11.
I do not see permit tcp any any eq http and permit tcp any any eq 443 in your dACL.
Your dACL:
Extended IP access list xACSACLx-IP-PCs_ACL_REMEDIATION-5b35ebba (per-user)
06-29-2018 10:48 AM
Hi Filip, What is sugeres:
my dacl :
Extended IP access list xACSACLx-IP-PCs_ACL_REMEDIATION-5b35ebba (per-user)
AND my acl:
ip access-list extended CORPORATE_REDIRECT
permit tcp any any eq www
permit tcp any any eq 443
!
or may ACL only have:
p access-list extended CORPORATE_REDIRECT
deny ip any any
06-30-2018 03:14 PM
Hi Filipi,I had already put the lines to permit tcp any any for the ports 80 and 443 on my DACL and nothing happened.
06-29-2018 01:34 PM
Is your DNS in place for ISE_NAME, if not change to IP address
BB
06-30-2018 01:11 AM
Hi Balaji, I had done this exchange:
ISE_IP fot ISE_NAME not resolve.
06-30-2018 11:49 PM
Is the ip http server and ip http secure-server in enabled on your switch?
That's a prerequisite for redirection to work.
07-01-2018 05:01 AM
Hi Marvin, I have these prerequisite on my Switch, ip http server and ip http secure-server.
Manual so i can paste the url on the client machine, more so automatica does not happen.
07-01-2018 05:43 AM
Does the RADIUS live log show that a redirect URL is being sent when the client initially connects?
If it doesn't, then you most likely have a problem with your authorization policy
07-01-2018 09:15 AM
Hi,
From your initial output of an authenticated session, under the Server Policies section you do not have the URL Redirect: - this should include the ISE FQDN and session ID.
Your output:
Server Policies:
Vlan Group: Vlan: 35
URL Redirect: ** ISE FQDN SHOULD BE HERE **
URL Redirect ACL: CORPORATE_REDIRECT
ACS ACL: xACSACLx-IP-PCs_ACL_REMEDIATION-5b35ebba
For example from my lab:-
Server Policies:
URL Redirect: https://ISE24.lab.local:8443/portal/gateway?sessionId=C0A80A0200000018000BC42A&portal=3fab66d0-2e02-11e8-ba71-005056872c7f&action=cwa&type=drw&token=4ac3647ccda92d8717d3e1c5721c7d29
URL Redirect ACL: REDIRECT_ACL_CWA
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3
Marvin is probably on the right track, check your Authorization Profiles, please provide a screenshot and we can review.
HTH
07-02-2018 12:39 AM - edited 07-02-2018 01:43 AM
07-02-2018 07:18 AM
07-02-2018 08:10 AM
Thanks,do you have any suggestion about correct ios for my switch?
The little time I upgrade my switch IOS version 15.0 to 15.2.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide