ISE 2.0 - Blackhole/Blacklist Wireless Access redirect not working

pjiracek · ‎06-07-2016

Hi there,

On ISE 2.0 I have wireless authentication policy which assigns devices in Blacklist identity group this authorization profile:

Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=BLACKHOLE
cisco-av-pair = url-redirect=https://ip:port/blacklistportal/gateway?portal=9a9d1710-1400-11e5-bea4-005056bf01c9

There is BLACKHOLE ACL on the WLC allowing access to DNS and ISE only.

Now, the client in Blacklist group hits the rule (I can see it in Radius Livelog) but is not redirected and continues having access to the whole network.

If I troubleshoot the endpoint, I can see it resolves correctly the ip:port in the redirect URL (x.x.x.x:8444) and creates Airespace-ACL-Name = BLACKHOLE but somehow doesn't apply them. The URL https://x.x.x.x:8444/blacklistportal/gateway?portal=9a9d1710-1400-11e5-bea4-005056bf01c9 is set up on the ISE as Blacklist portal and is fine.

What is going on?

I have a similar redirect for Guest access and it works OK.

Many thanks

Pavel

sjarchung · ‎01-30-2017

I got this working without using an Airespace ACL. Mine looks like this:

Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect=https://10.40.2.111:port/blacklistportal/gateway?portal=0eed9e80-6d90-11e5-978e-005056bf2f0a
cisco-av-pair = url-redirect-acl=BLACKHOLE