Hi there,
On ISE 2.0 I have wireless authentication policy which assigns devices in Blacklist identity group this authorization profile:
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=BLACKHOLE
cisco-av-pair = url-redirect=https://ip:port/blacklistportal/gateway?portal=9a9d1710-1400-11e5-bea4-005056bf01c9
There is BLACKHOLE ACL on the WLC allowing access to DNS and ISE only.
Now, the client in Blacklist group hits the rule (I can see it in Radius Livelog) but is not redirected and continues having access to the whole network.
If I troubleshoot the endpoint, I can see it resolves correctly the ip:port in the redirect URL (x.x.x.x:8444) and creates Airespace-ACL-Name = BLACKHOLE but somehow doesn't apply them. The URL https://x.x.x.x:8444/blacklistportal/gateway?portal=9a9d1710-1400-11e5-bea4-005056bf01c9 is set up on the ISE as Blacklist portal and is fine.
What is going on?
I have a similar redirect for Guest access and it works OK.
Many thanks
Pavel