If you have ever configured CWA (Central Web Authentication) with ISE you understand that it requires one to configure ACL that dictates what traffic is to be redirected vs. let through without redirection. You also understand that this ACL needs to be configured locally on the switch or the wireless controller and referenced by name from ISE, thus the ACL content cannot be downloaded from ISE like dACL (downloadable ACL). URL-Redirect ACL is not limited to CWA only, and it is used throughout ISE advanced flows such as BYOD, posture, and MDM/EMM flows. Being able to download the URL-Redirect ACL provides great value as it allows administrators to centralize the ACL, and eliminates the need to touch every network device in the event that the ACL needs to be updated. The feature was introduced on IOS-XE, however currently missing on ISE to leverage it.
Here, I am going to provide experimental configuration that you can try for downloadable URL-Redirect ACL from ISE just like dACL. It requires few steps to grab the version number of the ACL but fairly simple once the external name of the ACL is found. This has been tested with:
Catalyst 9800 v17.1.1s, but should also work with previous versions
Catalyst 9300 v16.12.1, but should also work with v16.9.1 and above on other Catalyst 9k switch models
Create URL-Redirect ACL
1. Login to ISE 2. Go to Policy > Policy Elements > Results > Authorization > Downloadable ACLs 3. Click Add 4. Provide a name. I am using “Redirect-Test” in my example 5. Enter following in the DACL Content box and click Submit
permit tcp any any eq 80
Note: implicit deny will ensure other traffic is not redirected. You can also add line for ISE for exemption or permit statement for HTTPS if necessary
Find out external ACL name: Method 1 using URL-Redirect ACL as dACL to reveal the name
1. Go to Policy > Policy Elements > Results > Authorization > Authorization Profile
2. Click Add
3. Provide a name and create a simple authorization profile with the URL-Redirect ACL as dACL
4. Go to Policy > Policy Set 5. Assign it to any policy and get it matched to a real authentication with a test endpoint 6. Go to LiveLog and grab the ACL name shown in the details of the log or just above the real user authentication event. In our example it is #ACSACL#-IP-Redirect-Test-5e7a886a
7. Once ACL name has been captured, you can delete this temporary authorization profile
Find out external ACL name: Method 2 using configuration change alarm
1. Go to main ISE dashboard 2. Within ALARMS dashlet, click on “Configuration Changed” Alarm 3. Find the line for creation of Downloadable ACL that reads something like “Configuration Added: Admin=admin; Object 4. Type=Downloadable ACLs; Object Name=Redirect-Test” and click Details. If it was modified it will read "Configuration Changed: Admin=admin; Object Type=Downloadable ACLs; Object Name=Redirect-Test". Make sure to pick the latest event
4. On the bottom there is a line that starts with “object created: …” 5. Copy the number that comes after “GenerationId=“ part. In my example it is 1585088618. This is the epoch when the ACL was created which is also used as version number.
6. Convert this number into hexadecimal format using any calculator to get the actual version number in use which is 5e7a886a
7. Now we are going to get the external ACL name which is concatenation of #ACSACL#-IP-, ACL Name, -, version number. In our example it will be
Note: The version number is case sensitive and should be in lower case
Create CWA authorization profile
Create or modify existing CWA authorization profile and replace the redirect ACL with the name that we generated.
Hi ,I try to configure to setup NAT with ASA firewall.i see a lot of reference guide and tried so many time but i only can do outgoing nat.i would like to do below design.All outgoing traffic of web server,server2 and server 3 are nat with 10.1.1.1 to acc...
Hi,can any one help on this issue,as we are recieving consistent alert from the Ironport ( Async C390 12.5.37 ) , is this bug or any activity at Cisco side. Unable to connect to Cisco Web Security Service.URL Filtering will not work correctly.P...
Hi,We are setting a loadbalanced ISE PSN infrastructure by using F5 LTM. ISE nodes and F5 internal interface are on the same vlan and f5 external interface is on a different vlan which. We have configured the infrastructure as described below link. h...
I am trying to configure one weekly summary report of AMP for Endpoints , where i did not have option to send that report to distribution email address. ( example SecurityIT@domain.com) , where i see that i can receive on my own email address( xyzna...