Ise 2.0 Client Machine not Redirect URL Wired Dot1x

santosdambi@gmail.com · ‎06-29-2018

hello staff i need help about the ise 2.0.0.306, i use the patch 6 has basic license ISE-VM-K9, i am a user Windows 10 has client machines and the machines is not forwarded to the URL so automatica so manually.

I'll share a few things to consider

Filip Po · ‎06-29-2018

Hello,

I assume that you using a browser to redirect. The dACL will replace the pre-authentication ACL/PACL you have configured on the switchport. Traffic must be first allowed via dACL then it will hit redirect ACL.

Precisely: ACS ACL: xACSACLx-IP-PCs_ACL_REMEDIATION-5b35ebba

Filip

santosdambi@gmail.com · ‎06-29-2018

Hello Philip can you be more specific?, what they suggest is to place the ACL of the redirect on switch at the port where this machine customer?

Filip Po · ‎06-29-2018

Your dACL does not contain the same lines as your ACL for redirect.

Your packet TCP/80 or TCP/443 do not get to ACL for redirect, because dACL will deny it by rule No.11.

I do not see permit tcp any any eq http and permit tcp any any eq 443 in your dACL.

Your dACL:

Extended IP access list xACSACLx-IP-PCs_ACL_REMEDIATION-5b35ebba (per-user)

1 permit udp any any eq bootps

2 permit udp any any eq domain

3 permit tcp any any eq domain

4 permit icmp any any echo

5 permit icmp any any echo-reply

6 permit tcp any host ISE_IP eq 8443

7 permit tcp any host ISE_IP eq 8905

8 permit tcp any host ISE_IP eq 8909

9 permit udp any host ISE_IP range 8905 8906

10 permit udp any host ISE_IP eq 8909

11 deny ip any any

santosdambi@gmail.com · ‎06-29-2018

Hi Filip, What is sugeres:

my dacl :

Extended IP access list xACSACLx-IP-PCs_ACL_REMEDIATION-5b35ebba (per-user)

1 permit udp any any eq bootps

2 permit udp any any eq domain

3 permit tcp any any eq domain

4 permit icmp any any echo

5 permit icmp any any echo-reply

6 permit tcp any host ISE_IP eq 8443

7 permit tcp any host ISE_IP eq 8905

8 permit tcp any host ISE_IP eq 8909

9 permit udp any host ISE_IP range 8905 8906

10 permit udp any host ISE_IP eq 8909

11 permit tcp any any eq 80

12 permit tcp any any eq 443

13 deny ip any any

AND my acl:

ip access-list extended CORPORATE_REDIRECT
permit tcp any any eq www
permit tcp any any eq 443

!

or may ACL only have:

p access-list extended CORPORATE_REDIRECT

deny ip any any

santosdambi@gmail.com · ‎06-30-2018

Hi Filipi,I had already put the lines to permit tcp any any for the ports 80 and 443 on my DACL and nothing happened.

balaji.bandi · ‎06-29-2018

Is your DNS in place for ISE_NAME, if not change to IP address

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

santosdambi@gmail.com · ‎06-30-2018

Hi Balaji, I had done this exchange:

ISE_IP fot ISE_NAME not resolve.

Marvin Rhoads · ‎06-30-2018

Is the ip http server and ip http secure-server in enabled on your switch?

That's a prerequisite for redirection to work.

santosdambi@gmail.com · ‎07-01-2018

Hi Marvin, I have these prerequisite on my Switch, ip http server and ip http secure-server.

Manual so i can paste the url on the client machine, more so automatica does not happen.

Marvin Rhoads · ‎07-01-2018

Does the RADIUS live log show that a redirect URL is being sent when the client initially connects?

If it doesn't, then you most likely have a problem with your authorization policy

Rob Ingram · ‎07-01-2018

Hi,

From your initial output of an authenticated session, under the Server Policies section you do not have the URL Redirect: - this should include the ISE FQDN and session ID.

Your output:

Server Policies:

Vlan Group: Vlan: 35

URL Redirect: ** ISE FQDN SHOULD BE HERE **

URL Redirect ACL: CORPORATE_REDIRECT

ACS ACL: xACSACLx-IP-PCs_ACL_REMEDIATION-5b35ebba

For example from my lab:-

Server Policies:

         URL Redirect: https://ISE24.lab.local:8443/portal/gateway?sessionId=C0A80A0200000018000BC42A&portal=3fab66d0-2e02-11e8-ba71-005056872c7f&action=cwa&type=drw&token=4ac3647ccda92d8717d3e1c5721c7d29
     URL Redirect ACL: REDIRECT_ACL_CWA
              ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3

Marvin is probably on the right track, check your Authorization Profiles, please provide a screenshot and we can review.

HTH

santosdambi@gmail.com · ‎07-02-2018

Hi Please find attached the sharing

Rob Ingram · ‎07-02-2018

I've reviewed your output and done some testing, your Authz Profile has the entries I'd expect and your switch configuration you provided looks ok. I don't have ISE 2.0 P6 nor your switch so cannot mirror your exact scenario.

Have you tried testing on another switch model or the 2960x with another (newer) IOS version? I noted you are not running the latest version.

santosdambi@gmail.com · ‎07-02-2018

Thanks,do you have any suggestion about correct ios for my switch?

The little time I upgrade my switch IOS version 15.0 to 15.2.