Ironport - Specific URL redirect without catching all domain traffic

Similar Messages

• Url redirects using the BC domain

  My url redirects are using the BC domain name instead of my "added domain".
  eg : 
  Inside the url directs section it shows
  http://mydomain.businesscatalyst.com       
  instead of
  http://www.mydomain.com
  as the source destination.
  Should that be happening?  Ind oing so its causing a few of my redirects not to work correctly.

  Hello Sydney,
  Thanks for the help.  We never used the .businesscatalyst.com domain as a link reference when building the site and looking over it again, as far as we can see, we've used all relative urls.
  The only way the .businesscatalyst.com may have been inserted is if BC itself inserted it somewhere (maybe a stray link somewhere). 
  I can add a screenshot of the reference but BC and CC seem to be down as its not logging me in (constantly loading).
  The reference itself is appearing in the "Url redirect section" of BC, in the "add redirect" window.
  For the source destination it asks for folder/filename and below that it is the auto generated url which is using the system url instead of the "added domain".
  I'll try and add a screenshot once Adobe let me log in.

• LDAP Accept query for "catch all" domains

  I'm far from an LDAP expert so I'm posting this both as a "look what I did!" and an "is there a better way?"
  The query feels fairly typical until the end where I look for "absolute-catchall@[the domain]". Effectively this accepts "anything"@"domain." Is this what you do? Is there a better way? Is this already in the manual somewhere :)
  (|(|(gecos={u})(|(mail={a})(mail={u})))(mail=absolute-catchall@{d}))

  I don't think these kind of tricks are in the handbook, but you're not the only one using something like this. A similar query was posted here: http://www.ironportnation.com/forums/viewtopic.php?p=718#718
  I'm using this to skip recipient checking for domains where i'm only acting as backup MX and can't verify the addresses.

• Uploading i-web sites to specific url

  I have created two websites using i-web. I have tested on 60 day trail account with .mac & they look great. I want to upload to specific urls. Have separated the domain files into two. Have Cyber Duck as ftp server. But how do I ACTUALLY upload? I have tried by dragging the domain file to Cyber Duck but it doesn't work. Can anyone let me know the procedure of doing it properly so that it works?
  many thanks indeed.

  If you have set up your dotMac account details in the System Preferences, then in iWeb you can publish your Site(s) to dotMac.
  [Here's the tutorial|http://www.apple.com/ilife/tutorials/#iweb-publish-60]
  No need for Cyberduck which isn't a FTP Server but an application to upload files to such server.
  dotMac does not support FTP, so Cyberduck is irrelevant.
  Your domain file is where iWeb stores the info when you edit your Site(s). You keep that file on your computer. It has no use outside iWeb.
  If you do not continue your dotMac account after the trial period, you have to publish your Site(s) to a folder and then use Cyberduck to transfer the Site(s) to your FTP server.
  Once published to a folder it is not an iWeb issue anymore. You can even edit the published pages in a HTML Editor of your choice.
  You can also publish your Site(s) to the Sites folder in your Home directory and serve them with Personal Webserver.
  It great for testing pages, before you make them public.

• Disable creation of VPN "*Session" credential in Credential Manager without disabling all of Credential Manager?

  Is there a way to disable creation of the VPN "*Session" credential in Credential Manager without disabling all of Credential Manager?
  I know that you can disallow storing all domain creds in Credential Manager by setting the following registry entry to 1 (but this doesn't fix my issue):
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  Value Name: DisableDomainCreds
  Value Type: REG_DWORD
  Value: 1
  On my Windows 8 Enterprise workstation, I use mapped drives with one domain account and Outlook with a different domain account. Using the fix above fixes my issue with mapped drives (after sleep mode, reconnect to VPN and my mapped drives won't reconnect until
  I delete the '*Session' credential) but then I cannot use Outlook at all.  Note: I do not log on to Windows 8 with either of the domain
  accounts mentioned above (I use a local admin account) and I do not 'save my password' in Outlook.

  I should clarify my question: Is there a way to disable creation of the VPN "*Session" credential in Credential Manager
  without disabling all domain creds in Credential Manager?
  On my Windows 8 Enterprise workstation, I use mapped drives with one domain account and Outlook with a different domain account.
  Normally I can use Outlook if I am connected to the vpn and I can use it if I am not connected to the vpn.
  Normally I can use the mapped drives if I am connected to the vpn and I I can use the mapped drives if I am not connected to the vpn.
  The vpn is essential for me to do my work for reasons other than the mapped drives and the usage of Outlook, but I need to be able to use the mapped drives and Outlook whether I am connected to the vpn or not.
  Let's say my two domain accounts are these: drive-account and outlook-account.  I must use the outlook-account for the connection to the vpn.  When I connect to the vpn, it creates the '*Session' credential in the Credential Manager for outlook-account,
  the mapped drives disconnect and they will not reconnect until I delete the newly created '*Session' credential.  The error is 'An error occurred while reconnecting <drive letter1:> to <\\network\path>  Microsoft Windows Network: The
  local device name is already in use.  This connection has not been restored.'  Further evidence that it is the '*Session' credential causing the failure to reconnect is that I have two mapped drives and if I disconnect one of them and try to reconnect
  the other one, I get a different error, 'An error occurred while reconnecting <drive letter2:> to <\\network\path2> Microsoft Windows Network: Multiple connections to a server or shared resource by the same user, using more than one user name,
  are not allowed. Disconnect all previous connections to the server or shared resource and try again.  This connection has not been restored.'  Manually recreating that first connection then allows me to get back into both, but I should not have to
  manually delete and recreate a mapped drive every time my computer goes to sleep.  At least the manual deletion of the '*Session' credential is slightly less intrusive, but I'd still appreciate if there is a way to disable the creation of the '*Session'
  credential without disabling all domain creds in Credential Manager.  As I have said, if I disable domain creds using the registry fix some have suggested, I do not get the drive errors (after sleep mode and reconnecting to vpn), but I cannot use Outlook
  at all.
  Note: I do not log on to Windows 8 with either of the domain accounts mentioned above (I use a local admin account) and I do not 'save my password' in Outlook.

• How to setup a catch all email accounts on a domain?

  I am currently hosting several different domains on our server. On one of the domains, we would like to set up a catch all email account. Right now we have [email protected], and [email protected], but would like emails sent to any other address ('anything'@domain.com) to be directed to the [email protected] Is there a way to set up a wild card email address entry for a specific user account?

  Don't do this. Seriously.
  Your wildcard account will get inundated with every dictionary-based spam directed at your domain.
  Many spambots just try common names at every domain they can find - alex@, andrew@, joe@, john@, etc. sometimes generating tens of thousands of messages in the hope that one or two names match legitimate accounts.
  If you setup a wildcard account, all these messages will be accepted and dumped into this mailbox. If you don't have a wildcard account the messages will be rejected with a 'no such user' error (or dropped silently, depending on your mail server setup).
  If you really do want to do it, then you need to get under the hood and configure postfix manually (Server Admin won't do this for you). The specifics are covered in the Postfix virtual accounts documentation.

• I have a cisco ironport c170, i want set up URL redirect? But i don't khow how to ? Can you help me?

  I have a cisco ironport c170, i want set up URL redirect? But i don't khow how to ? Can you help me?

  The C170 does not support URL redirection prior to OS release 8.5. What exactly do you need to accomplish?

• Redirecting all HTTP traffic to HTTPS that will reverse proxy specific URI

  -- Requirement --
  I have a Sun web server 6.1 SP4 that sits in a DMZ that must securely reverse proxy traffic to an internal application server listening on 443.
  The web server instance has two listen sockets, 80 and 443.
  The web server instance must accept traffic on port 80 but re-direct it to 443 so all subsequent traffic with the client happens over HTTPS.
  HTTPS traffic for "www.mydomain.com/myapp/" must be reverse proxied to the internal app server, "https://myapp.mydomain.com/myapp/".
  -- Current set-up --
  The server reverse proxies both HTTP and HTTPS traffic with the indicated URI.
  How can I constrain the reverse proxying to HTTPS traffic?
  Thanks for your help,
  Jez

  Thanks Chris that worked perfectly.
  Aside
  Before your solution I had (unsuccessfully) tried the following obj.conf directive
  <Client security="false">
  NameTrans fn="redirect" from="/" url-prefix="https://www.mydomain.com/"
  </Client>However, it didn't work - is it not possible to use the <Client security="false"> in this manner?

• How can I hide "Taxonomy Catch All Column" without using PowerShell?

  After having moved some files around, I find that my view and edit properties forms include the field "Taxonomy Catch All Column" and the field IDs which are just going to be confusing gobbledegook to my end users.
  I can't seem to find a way to get rid of it. I can't delete it and I can't see where to hide it. Searches only seem to turn up PowerShell script solutions, and I can't use PowerShell.
  It's SharePoint 2010 Server, I'm a site admin and I can use SharePoint Designer, but not powershell, no server access, no central admin access.
  Can anyone help please?

  Hi,
  For your issue, it seems to be related to use Content & Structure. 
  If you choose to move content that contains managed metadata columns (or presumably enterprise keywords), the Taxonomy Catch All column shows up after you use the "Content and structure" tool. It shows up as a column in the library and is visible
  in "Edit Properties" on every document.
  Why are you can’t use power shell? It is convenient to solve your problem with power shell.
  Here is a similar post, you can use as a reference:
  https://social.msdn.microsoft.com/Forums/en-US/896cea1d-dc40-47f1-80f4-7a01f2d23fd9/what-is-the-significance-of-taxonomy-catch-all-column-lookup-column
  http://blogs.c5insight.com/Home/tabid/40/entryid/385/Why-Do-Hidden-Taxonomy-Catch-All-Columns-Become-Visible.aspx
  Besides, here is an article, you can have a look at:
  http://www.andrewconnell.com/sharepoint-2010-managed-metadata-in-depth-look-into-the-taxonomy-parts
  Best Regards,
  Lisa Chen
  Lisa Chen
  TechNet Community Support

• Nano syntax highlighting: catch-all syntax for configuration files

  After years of using nano, I only recently learned that it supports syntax coloring... (Why would they turn that off by default? ) Well, I thought I'll make up for it by making extra good use of it from now on...
  Unfortunately it didn't ship a highlighting syntax for the the kind of files that I use nano the most for: system configuration files.
  So I wrote my own, and after tweaking a bit here and there whenever I encountered a config file for which the highlighting wasn't satisfactory at first, I think the result is now good enough (screenshots below) that it's worth sharing with my fellow Arch users:
  Code & Instructions:
  Here is the syntax definition:
  # config file highlighting
  syntax "conf" "(\.(conf|config|cfg|cnf|rc|lst|list|defs|ini|desktop|mime|types|preset|cache|seat|service|htaccess)$|(^|/)(\w*crontab|mirrorlist|group|hosts|passwd|rpc|netconfig|shadow|fstab|inittab|inputrc|protocols|sudoers)$|conf.d/|.config/)"
  # default text
  color magenta "^.*$"
  # special values
  icolor brightblue "(^|\s|=)(default|true|false|on|off|yes|no)(\s|$)"
  # keys
  icolor cyan "^\s*(set\s+)?[A-Z0-9_\/\.\%\@+-]+\s*([:]|\>)"
  # commands
  color blue "^\s*set\s+\<"
  # punctuation
  color blue "[.]"
  # numbers
  color red "(^|\s|[[/:|<>(){}=,]|\])[-+]?[0-9](\.?[0-9])*%?($|\>)"
  # keys
  icolor cyan "^\s*(\$if )?([A-Z0-9_\/\.\%\@+-]|\s)+="
  # punctuation
  color blue "/"
  color brightwhite "(\]|[()<>[{},;:=])"
  color brightwhite "(^|\[|\{|\:)\s*-(\s|$)"
  # section headings
  icolor brightyellow "^\s*(\[([A-Z0-9_\.-]|\s)+\])+\s*$"
  color brightcyan "^\s*((Sub)?Section\s*(=|\>)|End(Sub)?Section\s*$)"
  color brightcyan "^\s*\$(end)?if(\s|$)"
  # URLs
  icolor green "\b(([A-Z]+://|www[.])[A-Z0-9/:#?&$=_\.\-]+)(\b|$| )"
  # XML-like tags
  icolor brightcyan "</?\w+((\s*\w+\s*=)?\s*("[^"]*"|'[^']*'|!?[A-Z0-9_:/]))*(\s*/)?>"
  # strings
  color yellow "\"(\\.|[^"])*\"" "'(\\.|[^'])*'"
  # comments
  color white "#.*$"
  color blue "^\s*##.*$"
  color white "^;.*$"
  color white start="<!--" end="-->"
  To install, save the above above code snippet as a file called conf.nanorc in the folder /usr/share/nano/ (or /usr/local/share/nano/ or similar if you feel strongly about the /usr <--> /usr/local separation), and then add the following to the end of the file /etc/nanorc:
  ## Configuration files (catch-all syntax)
  include "/usr/share/nano/conf.nanorc"
  Hints:
  The colors I chose look good (imo) with the terminal background and color settings that I use, but might not look good, or even readable, with yours, so simply change the color names in the code snippet to whatever you prefer - valid color names are:
  If you use a console with white background, you'll have to change at least the white color I chose for comments and punctuation.
  The first code line in the snippet includes a regular expression that defines for which file names this syntax highlighting should be used. Whenever you encounter a config file that is not matched by this, but you would still like to open it with syntax highlighting, you can manually select this syntax with nano's -Y switch, like so:
  nano -Y conf myConfigFile
  Technical Note:
  It's implemented as a single catch-all syntax, since nano chooses which syntax to apply based on the filename, and in the case of config files usually not much can be learned about the content format from the file name extension (.conf can by anything from flat key/value tuples to XML, .ini can be the official INI format or something else, etc...).
  This means that some compromises have been made, so with this highlighting syntax probably no config file looks 100% as good as a highlighting syntax that would be specifically optimized for one kind of config format, but all in all the vast majority of config files should look pretty good.
  Screenshots:
  /etc/rc.conf,  /etc/hosts:
  /etc/pacman.conf,  /etc/group:
  xorg.conf,  some .desktop file:
  httpd.conf (Apache config),  php.ini:
  More screenshots:
  /etc/fonts/fonts.conf (uses XML)
  /etc/inittab
  /etc/fstab
  /etc/inputrc
  /etc/mime.types
  /etc/protocols
  /etc/xinetd.conf
  See Also:
  nano syntax highlighting: GNU makefiles
  Update [2012-01-28]: Made some more improvements to the syntax definition (see post)
  Last edited by sas (2012-02-01 15:26:43)

  doug piston wrote:I deal with alot of .mk files and would love to see it there.
  You mean GNU makefiles?
  I'm afraid they might be out of scope for this generic config-file syntax.
  Logically they're not system config files, and technically they're a pretty specialized and complex format (different "types" of rules, rules spanning multiple lines, rules containing arbitrary Bash code, etc.).
  This is how an .mk file currently looks with this highlighting syntax:
  $ nano -Y conf /usr/lib/httpd/build/rules.mk
  And apart from highlighting variables of the form $$abc or $(abc), I'm not sure how much can be improved here without breaking the highlighting for more conventional config files.
  It would probably be better to create a specialized highlighting syntax just for .mk files.
  EDIT: I sat down and did just that, here's the result: nano syntax highlighting: GNU makefiles, and here is how the above makefile snipped looks with it:
  Last edited by sas (2012-02-01 15:18:52)

• Need help with URL Redirect in Sun Web Server 7 u5

  All I am trying to do is redirect to a static URL and for the life of me I can not get it to behave the way I would expect. I am new to Sun Web Server so I am just trying to use the Admin Console to set this up.
  Here is what I'm trying to do:
  Redirect from - http://www.oldsite.com/store/store.html?store_id=2154
  To - http://www.newsite.com/Stores/StoreFront.aspx?StoreId=2154
  Here's what I tried in the console.
  Added a new URL Redirect
  Set the Source to be Condition and set it to: '^/store_id=2154$' (quotes included)
  Then set the Target to: http://www.newsite.com/Stores/StoreFront.aspx?StoreId=2154
  Then for the URL Type I checked Fixed URL
  When I tested with: http://www.oldsite.com/store/store.html?store_id=2154 it did redirect as desired
  BUT
  When I tested with: "http://www.oldsite.com/store/store.html?store_id=5555" it too got redirected to the Target and I can't figure out how this second URL can satisfy the condition to get redirected.
  Any help is most appreciated.

  thanks for choosing sun web server 7
  it is simpler if you just edit the configuration files manually
  cd <ws7-install-root>/https-<hostname>/config/
  edit obj.conf or <hostname>-obj.conf (if there is one for you depending on your configuration so that it look something like)
  <Object name="default">
  AuthTrans..
  #add the folllowing line here
  <If defined $query>
  <If $urlhost =~ "/oldsite.com" and
  $uri =~ "/store/store.html" and
  $query =~ "store_id=2154" >
  NameTrans fn="redirect" from="/" http://www.newsite.com/Stores/StoreFront.aspx?StoreId=2154
  </If>
  </If>
  ..rest of the existing obj.conf. continues
  NameTrans...
  now, you can either do <ws7-install-root>/https-<hostname>/bin/reconfig -> to reload your configuration without any server downtime or <ws7-install-root>/https-<hostname>/bin/restart -> to restart the server
  if it did work out for your, you will need to run the following so that admin server is aware of what you just did
  <ws7-install-root>/bin/wadm pull-config user=admin config=<hostname> <hostname.domainname>
  hope this helps

• URL redirection config in PI SOAP receiver communication channel

  Hi,
  I am working on a similar scenario where I my consuming an external web service using https protocol from PI.
  I have configured a soap receiver channel to call the target url of this web service as https://portal.xyz.org.uk/webservice_alt.
  I am getting an error HTTP 302 suggesting that PI is not able to follow the re-direction to the target URL as the service resides not on that URL but on https://portal1.xyz.org.uk/webservice_alt or https://portal2.xyz.org.uk/webservice_alt.
  This is their server fail over handling mechanism which is very common. But PI 7.0 is not able to handle this.
  So if I change the target URL on the SOAP receiver channel to  https://portal1.xyz.org.uk/web service  or  https://portal2.xyz.org.uk/webservice_alt , PI works fine without errors . But this is not the right approach because, every time the web service provider takes one of these systems down for upgrade/patching etc, they inform us and then I manually go and change the target URL to the available server on my production PI system config.
  My problem is I want to resolve this redirection error in PI. I have tried raising a call with SAP itself and they pointed out to use Axis adapter which is still not working.
  So I am here asking for help. any suggestions please from the experts?
  Thanks
  Jhansi.

  Hi guys,
  I am sorry if I have not been clear so far!!
  What I am talking about is a URL redirection capability of PI. what i mean is , when you call any service in general using a browser/soap ui etc, it pings that url and follows the redirection.
  For example when i try to test this external web service directly using soap ui tool, it also returns HTTP 302 error. But when I set the 'Follow redirect' property to 'true' , it follows the redirection and calls the service on 'portal1' or 'portal2' .
  You assume PI is a test tool like SOAPUI. When the address or URL changed in WSDL and if you load the latest WSDL in soapUI it post the request to the latest URL. YOu import WSDL only in ESR not in IR. Dont forget it. Though WSDL has soap address location, it will not impact the wsdl changes directly in ID.
  It makes no sense to complain regarding the behaviour of PI when the reason for the problem is outside (WS provider).
  please note that the target url is fixed which is  https://portal.xyz.org.uk/webservice_alt.
  so we are not talking here about the service provider altering the service and sending us new wsdl's etc.
  All users of this webservice have been non-sap users so far and consumers use java, .net etc platforms and are easily able to handle the redirection.because this redirection is a part of failover mechanism.
  I hope i am able to picture my problem.
  thanks
  Jhansi.

• ISE url-redirect CWA to Gig1

  Hello,
  say I want to have five ISE 1.3 nodes behind load balancer, I want only only G0 behind LB, and G1 interfaces will be dedicated for certain things. Specifically I want to use G1 interface for Redirected Web Portal access (could be CWA, device registration, NSP, etc). RADIUS auth will happen through LB on G0 of some specific PSN, and that PSN will url-redirect user to the CWA URL.
  How do I tell ISE to use specifically Gig1's IP address or Gig2's IP address? When I check result authorization profile, there is no option there, it's just ip:port. Obviously, that's not the right place, because which PSN is used to processed the policy is unpredictable.
  So then I go to guest portal, and specifically Self-Registered Guest Portal that I'm using. So here I see Gig0, Gig1, Gig2, and Gig3 listed. My guess is that if I only leave Gig1 selected then I will achieve my goal, is that correct?
  But then, why does it let me choose multiple interfaces, what happens if I select all of them?
  Am I missing another spot in ISE admin where I can control this?
  Additional question. I know that in ISE 1.2 you could configure "ip host" in ISE's CLI, which would force URL-redirect response to be translated to FQDN:port. Is that still the right method in ISE 1.3?
  Thanks!

  Take a look at the following document:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13.pdf
  Towards the end of the document you will find a section called: "Cisco ISE Infrastructure" and there you will see the following:
  • Cisco ISE management is restricted to Gigabit Ethernet 0.
  • RADIUS listens on all network interface cards (NICs).
  • All NICs can be configured with IP addresses.
  So, you can take an interface, give it an IP address and then assign it to the web portal that you are working with. 
  I hope this helps!
  Thank you for rating helpful posts!

• ISE & Switch URL redirect not working

  Dear team,
  I'm setting up Guest portal for Wired user. Everything seems to be okay, the PC is get MAB authz success, ISE push URL redirect to switch. The only problem is when I open browser, it is not redirected.
  Here is some output from my 3560C:
  Cisco IOS Software, C3560C Software (C3560c405-UNIVERSALK9-M), Version 12.2(55)EX3
  SW3560C-LAB#sh auth sess int f0/3
              Interface:  FastEthernet0/3
            MAC Address:  f0de.f180.13b8
             IP Address:  10.0.93.202
              User-Name:  F0-DE-F1-80-13-B8
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-domain
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
       URL Redirect ACL:  redirect
           URL Redirect:  https://BYODISE.byod.com:8443/guestportal/gateway?sessionId=0A005DF40000000D0010E23A&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A005DF40000000D0010E23A
        Acct Session ID:  0x00000011
                 Handle:  0xD700000D
  Runnable methods list:
         Method   State
         mab      Authc Success
  SW3560C-LAB#sh epm sess summary
  EPM Session Information
  Total sessions seen so far : 10
  Total active sessions      : 1
  Interface            IP Address   MAC Address       Audit Session Id:
  FastEthernet0/3       10.0.93.202  f0de.f180.13b8    0A005DF40000000D0010E23A
  Could you please help to explore the problem? Thank you very much.

  With switch IOS version later than 15.0 the default interface ACL is not required. For url redirection the dACL is not required as this ACL is part of traffic restrict for "guest" users.
  In my experiece some users can not get the redirect correctly because anti-spoof ACL on management Vlan or stateful firewall blocks the TCP syn ack.
  It is rare in campus network access layer switches have user SVI configured so the redirect traffic has to be sent from the netman SVI, but trickly the TCP SYN ACK from the HTTP server will be sent back from the netman Vlan without source IP changed. (The switch is spoofing the source IP in my understanding with changing only the MAC address of the packet). In most of the cases there should be a basic ACL resides on the netman SVI on the first hop router, where the TCP SYN ACK may be dropped by the ACL.
  tips:
  1. "debug epm redirect" can make sure your traffic matches the redirect url and will get intercepted by the switch
  2. It will be an ACL or firewall issue if you can see epm is redirecting your http request but can not see the SYN ACK from the requested server.
  Which can win the race: increasing bandwidth with new technologies VS QoS?

• Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

  Hi to all,
  I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
  I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID.  The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
  Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
  Error: Resource not found.
  Resource: /guestportal/
  Does anyone have any ideas why the portal is doing this?
  Thanks
  Paul

  Hello,
  As you are not able to  get the guest portal, then you need to assure the following things:-
  1) Ensure that the  two  Cisco av-pairs that are configured on the  authorization profile should  exactly match the example below. (Note: Do  not replace the "IP" with the  actual Cisco ISE IP address.)
  –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
  –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also  defined on the access switch)
  2) Ensure that the URL redirection portion of the ACL have been  applied  to the session by entering the show epm session ip   command on the switch. (Where the session IP is the IP address  that is  passed to the client machine by the DHCP server.)
  Admission feature : DOT1X
  AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
  URL Redirect ACL : ACL-WEBAUTH-REDIRECT
  URL Redirect :
  https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
  0000A45A2444BFC2&action=cpp
  3) Ensure that the preposture assessment DACL that is enforced from  the  Cisco ISE authorization profile contains the following command  lines:
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  remark ping
  permit icmp any any
  permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
  permit tcp any host 80.0.80.2 eq www --> Provides access to internet
  permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
  port
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8906 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
  4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on  the switch as follows:
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny ip any host 80.0.80.2
  permit ip any any
  5) Ensure that the http and https servers are running on the switch:
  ip http server
  ip http secure-server
  6) Ensure that, if the client machine employs any kind of personal  firewall, it is disabled.
  7) Ensure that the client machine browser is not configured to use any  proxies.
  8) Verify connectivity between the client machine and the Cisco ISE IP  address.
  9) If Cisco ISE is deployed in a distributed environment, make sure  that  the client machines are aware of the Policy Service ISE node FQDN.
  10) Ensure that the Cisco ISE FQDN is resolved and reachable from the  client machine.
  11) Or you need to do re-image again.