cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Downloadable URL-Redirect ACL with ISE

2260
Views
15
Helpful
2
Comments

For additional advanced ISE related Tips, please visit Advanced ISE tips to make your deployment easier document

 

Downloadable URL-Redirect ACL

If you have ever configured CWA (Central Web Authentication) with ISE you understand that it requires one to configure ACL that dictates what traffic is to be redirected vs. let through without redirection. You also understand that this ACL needs to be configured locally on the switch or the wireless controller and referenced by name from ISE, thus the ACL content cannot be downloaded from ISE like dACL (downloadable ACL). URL-Redirect ACL is not limited to CWA only, and it is used throughout ISE advanced flows such as BYOD, posture, and MDM/EMM flows. Being able to download the URL-Redirect ACL provides great value as it allows administrators to centralize the ACL, and eliminates the need to touch every network device in the event that the ACL needs to be updated. The feature was introduced on IOS-XE, however currently missing on ISE to leverage it.

Here, I am going to provide experimental configuration that you can try for downloadable URL-Redirect ACL from ISE just like dACL. It requires few steps to grab the version number of the ACL but fairly simple once the external name of the ACL is found. This has been tested with:

  • Catalyst 9800 v17.1.1s, but should also work with previous versions
  • Catalyst 9300 v16.12.1, but should also work with v16.9.1 and above on other Catalyst 9k switch models

 

Create URL-Redirect ACL

1. Login to ISE
2. Go to Policy > Policy Elements > Results > Authorization > Downloadable ACLs
3. Click Add
4. Provide a name. I am using “Redirect-Test” in my example
5. Enter following in the DACL Content box and click Submit

permit tcp any any eq 80

Note: implicit deny will ensure other traffic is not redirected. You can also add line for ISE for exemption or permit statement for HTTPS if necessary

 

Find out external ACL name: Method 1 using URL-Redirect ACL as dACL to reveal the name

1. Go to Policy > Policy Elements > Results > Authorization > Authorization Profile

2. Click Add

3. Provide a name and create a simple authorization profile with the URL-Redirect ACL as dACL

4. Go to Policy > Policy Set
5. Assign it to any policy and get it matched to a real authentication with a test endpoint
6. Go to LiveLog and grab the ACL name shown in the details of the log or just above the real user authentication event. In our example it is #ACSACL#-IP-Redirect-Test-5e7a886a

Screen Shot 2020-03-24 at 6.46.39 PM.png

7. Once ACL name has been captured, you can delete this temporary authorization profile

 

Find out external ACL name: Method 2 using configuration change alarm

1. Go to main ISE dashboard
2. Within ALARMS dashlet, click on “Configuration Changed” Alarm
3. Find the line for creation of Downloadable ACL that reads something like “Configuration Added: Admin=admin; Object 4. Type=Downloadable ACLs; Object Name=Redirect-Test” and click Details. If it was modified it will read "Configuration Changed: Admin=admin; Object Type=Downloadable ACLs; Object Name=Redirect-Test". Make sure to pick the latest event

4. On the bottom there is a line that starts with “object created: …
5. Copy the number that comes after “GenerationId=“ part. In my example it is 1585088618. This is the epoch when the ACL was created which is also used as version number.

Screen Shot 2020-03-30 at 8.58.00 AM.png
6. Convert this number into hexadecimal format using any calculator to get the actual version number in use which is 5e7a886a

Screen Shot 2020-03-27 at 4.21.33 PM.png
7. Now we are going to get the external ACL name which is concatenation of #ACSACL#-IP-, ACL Name, -, version number. In our example it will be

#ACSACL#-IP-Redirect-Test-5e7a886a

Note: The version number is case sensitive and should be in lower case

 

Create CWA authorization profile

Create or modify existing CWA authorization profile and replace the redirect ACL with the name that we generated.

Access Type = ACCESS_ACCEPT
DACL = PERMIT_ALL_IPV4_TRAFFIC
cisco-av-pair = url-redirect-acl=#ACSACL#-IP-Redirect-Test-5e7a886a
cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=deaaa863-1df0-4198-baf1-8d5b690d4361&daysToExpiry=value&action=cwa

Screen Shot 2020-03-24 at 6.49.03 PM.png

Note: I am also using regular dACL "PERMIT_ALL_IPV4_TRAFFIC" along with downloadable URL-Redirect ACL in the example above

 

IMPORTANT: Every time you modify the redirect ACL on ISE, make sure to go through one of the 2 methods to find the updated ACL version number and apply new version number in the authorization profile.

 

Result

Assuming both dACL and downloadable URL-Redirect ACL is applied, you will see authentication success followed by two ACL entries:

Screen Shot 2020-03-24 at 6.45.54 PM.png

Also, the result section of the live log details will show the corresponding downloadable URL-Redirect ACL and dACL

Screen Shot 2020-03-30 at 9.03.16 AM.png

 

 

Comments
Collaborator

Hi,

 

   Interesting, never looked at this, as it seems the "version" part of the ACL was not really consistent. So it changes each time you modify the ACL and only at that point? Does it survive a reload of ISE (hard) or of its services?

 

Regards,

Cristian Matei.

Cisco Employee

Yes, the ACL version will survive the reload.