If you have ever configured CWA (Central Web Authentication) with ISE you understand that it requires one to configure ACL that dictates what traffic is to be redirected vs. let through without redirection. You also understand that this ACL needs to be configured locally on the switch or the wireless controller and referenced by name from ISE, thus the ACL content cannot be downloaded from ISE like dACL (downloadable ACL). URL-Redirect ACL is not limited to CWA only, and it is used throughout ISE advanced flows such as BYOD, posture, and MDM/EMM flows. Being able to download the URL-Redirect ACL provides great value as it allows administrators to centralize the ACL, and eliminates the need to touch every network device in the event that the ACL needs to be updated. The feature was introduced on IOS-XE, however currently missing on ISE to leverage it.
Here, I am going to provide experimental configuration that you can try for downloadable URL-Redirect ACL from ISE just like dACL. It requires few steps to grab the version number of the ACL but fairly simple once the external name of the ACL is found. This has been tested with:
Catalyst 9800 v17.1.1s, but should also work with previous versions
Catalyst 9300 v16.12.1, but should also work with v16.9.1 and above on other Catalyst 9k switch models
Create URL-Redirect ACL
1. Login to ISE 2. Go to Policy > Policy Elements > Results > Authorization > Downloadable ACLs 3. Click Add 4. Provide a name. I am using “Redirect-Test” in my example 5. Enter following in the DACL Content box and click Submit
permit tcp any any eq 80
Note: implicit deny will ensure other traffic is not redirected. You can also add line for ISE for exemption or permit statement for HTTPS if necessary
Find out external ACL name: Method 1 using URL-Redirect ACL as dACL to reveal the name
1. Go to Policy > Policy Elements > Results > Authorization > Authorization Profile
2. Click Add
3. Provide a name and create a simple authorization profile with the URL-Redirect ACL as dACL
4. Go to Policy > Policy Set 5. Assign it to any policy and get it matched to a real authentication with a test endpoint 6. Go to LiveLog and grab the ACL name shown in the details of the log or just above the real user authentication event. In our example it is #ACSACL#-IP-Redirect-Test-5e7a886a
7. Once ACL name has been captured, you can delete this temporary authorization profile
Find out external ACL name: Method 2 using configuration change alarm
1. Go to main ISE dashboard 2. Within ALARMS dashlet, click on “Configuration Changed” Alarm 3. Find the line for creation of Downloadable ACL that reads something like “Configuration Added: Admin=admin; Object 4. Type=Downloadable ACLs; Object Name=Redirect-Test” and click Details. If it was modified it will read "Configuration Changed: Admin=admin; Object Type=Downloadable ACLs; Object Name=Redirect-Test". Make sure to pick the latest event
4. On the bottom there is a line that starts with “object created: …” 5. Copy the number that comes after “GenerationId=“ part. In my example it is 1585088618. This is the epoch when the ACL was created which is also used as version number.
6. Convert this number into hexadecimal format using any calculator to get the actual version number in use which is 5e7a886a
7. Now we are going to get the external ACL name which is concatenation of #ACSACL#-IP-, ACL Name, -, version number. In our example it will be
Note: The version number is case sensitive and should be in lower case
Create CWA authorization profile
Create or modify existing CWA authorization profile and replace the redirect ACL with the name that we generated.
Hi, Can someone help me understand the effect of implementing metric in the address family ipv4 rather than in a specific interface.Please see below config for reference. router isis 123is-type level-2-onlynet xx.xxxx.xxxx.xxxx.xxxx.xxnsf ietflo...
Hello!As a pandemic consequence most users are working remotely and they are connected by VPN remote access.Another consequence are the increasing number of tickets from users claim about quality of their VPN connections.Have anyone had already deploy som...
The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of IS...
Hello,We have just upgraded FTD 2110 firewall to firmware version 6.6.1. Since the AC element count is 800k, FMC shows a warning message "the number of access list elements generated for the access control policy exceeds the limit for this platform", sugg...
So I have come to learn that AMP doesn't have features that I am accustom to. Is there a way, beside creating more policies, to apply an exclusion to a single system? I am needing to create a 5 separate exclusion for my backup software. The machine f...