Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2308
Views
0
Helpful
1
Replies

ISE 2.0 - Blackhole/Blacklist Wireless Access redirect not working

pjiracek
Level 1
Level 1

‎06-07-2016 01:41 AM - edited ‎07-05-2021 05:11 AM

Hi there,

On ISE 2.0 I have wireless authentication policy which assigns devices in Blacklist identity group this authorization profile:

Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=BLACKHOLE
cisco-av-pair = url-redirect=https://ip:port/blacklistportal/gateway?portal=9a9d1710-1400-11e5-bea4-005056bf01c9

There is BLACKHOLE ACL on the WLC allowing access to DNS and ISE only. 

Now, the client in Blacklist group hits the rule (I can see it in Radius Livelog) but is not redirected and continues having access to the whole network.

If I troubleshoot the endpoint, I can see it resolves correctly the ip:port in the redirect URL (x.x.x.x:8444) and creates Airespace-ACL-Name = BLACKHOLE but somehow doesn't apply them. The URL https://x.x.x.x:8444/blacklistportal/gateway?portal=9a9d1710-1400-11e5-bea4-005056bf01c9 is set up on the ISE as Blacklist portal and is fine.

What is going on?

I have a similar redirect for Guest access and it works OK.

Many thanks

Pavel

Labels:
0 Helpful
1 Reply 1

sjarchung
Level 1
Level 1

‎01-30-2017 02:57 PM

I got this working without using an Airespace ACL.  Mine looks like this:

Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect=https://10.40.2.111:port/blacklistportal/gateway?portal=0eed9e80-6d90-11e5-978e-005056bf2f0a
cisco-av-pair = url-redirect-acl=BLACKHOLE

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card