ISE post compliant posture assessment URL redirection

G'day All,
Is anyone aware if it is possible for ISE to push a URL redirection to user devices once they have passed the posture assessment?
I am deploying a wireless BYOD ise deployment with AD auth and posture assessment, and we are hoping to find an easy way to push the compliant users to a new URL once they have passed posture.
Thanks gang.
Cheers,
James.               

It is not possible to redirect user after authentication and posturing to a specific URL. because ISE does not support this feature till now.
I think  URL redirection can be done in web authentication if used in case of employee.
Navigate to Policy > Policy Elements > Results > Authorization and then select Authorization Profiles
Step 18 Select Add to create a new Authorization Profile for Central Web Authentication:
Name
Central_Web_Auth
Description
(optional)
Access-Type
ACCESS_ACCEPT
DACL   Name
CENTRAL_WEB_AUTH
Centralized   Web Authentication
ACL:
ACL-WEBAUTH-REDIRECT
                                                          Redirect : Default
“ACL-WEBAUTH-REDIRECT” is  configured on  switch  which determines to which destination it will redirect 

Similar Messages

  • ISE 1.2 Posture Assessment with AnyConnect Client

    Hi Experts,
    I need clarity for posture assessment with AnyConnect client. I understood that we had traditional NAC agent with ISE 1.1.
    Since new Anyconnect version 4 has come which is used for ISE 1.3 posture assessment however I am not sure if I can use Anyconnect 4 with ISE 1.2 ?  Can you please put light on this ?
    if not , do I need to upgrade to ISE 1.3 ? what is the process to upgrade to ISE 1.3 ?
    Thanks in advance

    ISE can provision clients with agent and configure agent profiles.You have Client-provisioning policies that enable users to download and install resources on client devices.(Windows and Mac OS X NAC Agents, Cisco NAC Web Agent.

  • Cisco ISE - Not use FQDN in url-redirect parameter

    Hi,
    I am using Cisco ISE Central Web Authentication for Guest Wireless. Clients are redirected for web authentication to: https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa as it is specified by the url-redirect parameter in the Authorization Profile.
    The “ip” field in the url is now replaced by the FQDN of the Cisco ISE, but I want to use the IP address instead of the FQDN. Is there any way to do that?
    As far as I know in version 1.2 you can use the “ip host/no ip host” command to indicate what you want to use in the URL. However my Cisco ISE is running version 1.1.1.268.
    Thank you very much.
    Joana.

    Available in 1.2, and available as a "bit of a bodge" in 1.1.x  (read "a lot of a bodge")
    If you only have one PSN then you may be able to get it to work, but after that you lose the ability to get the session to be pointed automatically at whichever PSN they hit initially so it would break.
    Copy the settings that are applied when you use CWA, then create your own based on the same settings but using the ip address pasted in there instead.

  • ISE 1.2 Posture assessment (AV) system center endpoint

    the cisco NAC web agent can't detect AV (system center endpoint protection) is updated although it is updated.
    by troubleshooting , it seems it is related to Windows 8.1 as i tested the same AV on another machine Windows 7 and it is working.
    any body faced this issue?

    Support for Windows 8.1
    Cisco NAC Appliance Release 4.9(3) along with Cisco NAC Windows Agent 4.9.3.9 and Cisco NAC Web Agent Version 4.9.3.7 supports Microsoft Windows 8.1. See Also Patch Supporting Windows 8.1 and Mac OS X 10.9.
    In a Windows 8.1 client, in the metro mode, the NAC Agent shortcuts are available in the Apps screen instead of the Start screen.
    For a Windows 8.1 client machine, while configuring the user pages in CAM web console, if you have selected the web client as 'Java Applet Only' and enabled the 'Use web client to detect client MAC address and Operating System' option, then the client Operating System might be detected as Windows 8. While using Applet for Windows 8.1, configure the user page with WINDOWS_ALL. See Also CSCuj59700.

  • ISE doesn't remove URL redirect

    We have an ISE problem, in that the URL redirect sent to the access switch for guest auth is not removed even after successful authentication.
    Debug shows RADIUS activity as normal, 802.1X failover to MAB, then rediect to webauth;
    003064: Aug 22 17:48:08.340: %AUTHMGR-5-START: Starting 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
    003065: Aug 22 17:48:08.365: %MAB-5-SUCCESS: Authentication successful for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
    003066: Aug 22 17:48:08.365: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
    003067: Aug 22 17:48:08.382: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| EVENT APPLY
    003068: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME
    https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007201857889&action=cwa
    | RESULT SUCCESS
    NWS-TSL-HATB3F3-DistSW1#
    003069: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS                                                                                                                 
    003138: Aug 22 18:01:18.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245
    000054: Aug 22 18:01:18.345: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245 (NWS-TSL-HATB3F3-DistSW1-2)
    003139: Aug 22 18:01:19.490: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
    003140: Aug 22 18:01:19.490: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
    NWS-TSL-HATB3F3-DistSW1#
    003141: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME
    https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007401914245&action=cwa
    | RESULT SUCCESS
    003142: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS  
    003064: Aug 22 17:48:08.340: %AUTHMGR-5-START: Starting 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
    003065: Aug 22 17:48:08.365: %MAB-5-SUCCESS: Authentication successful for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
    003066: Aug 22 17:48:08.365: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
    003067: Aug 22 17:48:08.382: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| EVENT APPLY
    003068: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007201857889&action=cwa
    | RESULT SUCCESS
    NWS-TSL-HATB3F3-DistSW1#
    003069: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS          
    Then after successful authentication, VLAN is moved and xACSACLx-IP-PERMIT_ALL_TRAFFIC is sent, but rediect is sent again from ISE. We've been over configs several times, but can't get to the bottom of this. Can anyone shed any light ?
    003138: Aug 22 18:01:18.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245
    000054: Aug 22 18:01:18.345: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245 (NWS-TSL-HATB3F3-DistSW1-2)
    003139: Aug 22 18:01:19.490: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
    003140: Aug 22 18:01:19.490: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
    NWS-TSL-HATB3F3-DistSW1#
    003141: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007401914245&action=cwa| RESULT SUCCESS
    003142: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS                                                                                                           

    Fixed it !
    Great info from Tarik above, which lead me to the issue. My authz policy for redirect didn't include the Network Access:Usecase=Host Lookup, so this policy still (incorrectly) remained =true after valid guest authentication. As this policy remained =true, ISE was correctly applying URL rediect. Once I sorted the policy, by adding ...AND Network Access:Usecase=Host Lookup, all wored as expected.
    After valid guest auth we now see DACL 'PERMIT_GUEST' and move to VL1040 as expected, without the URL rediect.
    003543: Aug 22 19:03:15.169: %EPM-6-POLICY_REQ: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT APPLY
    003544: Aug 22 19:03:15.186: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-REQUEST
    003545: Aug 22 19:03:15.354: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-SUCCESS
    003546: Aug 22 19:03:15.354: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-WAIT
    NWS-TSL-HATB3F3-DistSW1#  
    003547: Aug 22 19:03:15.849: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767
    000069: Aug 22 19:03:15.241: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767 (NWS-TSL-HATB3F3-DistSW1-2)
    NWS-TSL-HATB3F3-DistSW1#  
    003548: Aug 22 19:03:17.560: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
    003549: Aug 22 19:03:17.560: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_GUEST-50350e3a| RESULT SUCCESS
    003543: Aug 22 19:03:15.169: %EPM-6-POLICY_REQ: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT APPLY
    003544: Aug 22 19:03:15.186: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-REQUEST
    003545: Aug 22 19:03:15.354: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-SUCCESS
    003546: Aug 22 19:03:15.354: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-WAIT
    NWS-TSL-HATB3F3-DistSW1#  
    003547: Aug 22 19:03:15.849: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767
    000069: Aug 22 19:03:15.241: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767 (NWS-TSL-HATB3F3-DistSW1-2)
    NWS-TSL-HATB3F3-DistSW1#  
    003548: Aug 22 19:03:17.560: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
    003549: Aug 22 19:03:17.560: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_GUEST-50350e3a| RESULT SUCCESS

  • ISE 1.2 - Posture Detail Assessment - enforcement audit mode report not show status for non-compliant

    ISE 1.2 - Posture Detail Assessment - enforcement audit mode report not show status for non-compliant.
    - For old version 1.1.4 it can be reported for non-compliant, How can I generate report for this? 
    Thanks
    Kosin Usuwanthim

    It used to be in there (id 226635 is the last one with it); should I clean it up a bit and put it back with a bit more of a disclaimer?

  • Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

    Hi to all,
    I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
    I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID.  The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
    Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
    Error: Resource not found.
    Resource: /guestportal/
    Does anyone have any ideas why the portal is doing this?
    Thanks
    Paul

    Hello,
    As you are not able to  get the guest portal, then you need to assure the following things:-
    1) Ensure that the  two  Cisco av-pairs that are configured on the  authorization profile should  exactly match the example below. (Note: Do  not replace the "IP" with the  actual Cisco ISE IP address.)
    –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
    –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also  defined on the access switch)
    2) Ensure that the URL redirection portion of the ACL have been  applied  to the session by entering the show epm session ip   command on the switch. (Where the session IP is the IP address  that is  passed to the client machine by the DHCP server.)
    Admission feature : DOT1X
    AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
    URL Redirect ACL : ACL-WEBAUTH-REDIRECT
    URL Redirect :
    https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
    0000A45A2444BFC2&action=cpp
    3) Ensure that the preposture assessment DACL that is enforced from  the  Cisco ISE authorization profile contains the following command  lines:
    remark Allow DHCP
    permit udp any eq bootpc any eq bootps
    remark Allow DNS
    permit udp any any eq domain
    remark ping
    permit icmp any any
    permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
    permit tcp any host 80.0.80.2 eq www --> Provides access to internet
    permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
    port
    permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    permit udp any host 80.0.80.2 eq 8905 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    permit udp any host 80.0.80.2 eq 8906 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    deny ip any any
    Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
    4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on  the switch as follows:
    ip access-list extended ACL-WEBAUTH-REDIRECT
    deny ip any host 80.0.80.2
    permit ip any any
    5) Ensure that the http and https servers are running on the switch:
    ip http server
    ip http secure-server
    6) Ensure that, if the client machine employs any kind of personal  firewall, it is disabled.
    7) Ensure that the client machine browser is not configured to use any  proxies.
    8) Verify connectivity between the client machine and the Cisco ISE IP  address.
    9) If Cisco ISE is deployed in a distributed environment, make sure  that  the client machines are aware of the Policy Service ISE node FQDN.
    10) Ensure that the Cisco ISE FQDN is resolved and reachable from the  client machine.
    11) Or you need to do re-image again.

  • Issues getting url-redirect working with Cisco ISE

    Hi,
    I am currently doing a Proof of Concept using Cisco's new ISE product. I am having issues getting the url-redirect raidus attribute working. I have read the troubleshooting document and everything in it points to it should be working. By debuging the radius information on the switch I can see that its passing the url-redirect to the switch  which in my case is was https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa. Now to remove DNS issues etc from the equasion if I copy and paste this URL into the client browser it takes me to the correct place, and I can login and it changes VLAN's accordingly. Now as far as I know the client should automatticaly be redirected to this URL which is not working. Below I have included one of the debugs to show that the epm is in place.
    DEVLABSW01#show epm session ip 10.0.1.104
        Admission feature:  DOT1X
                  ACS ACL:  xACSACLx-IP-PRE-POSTURE-ACL-4de86e6c
         URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
             URL Redirect:  https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa
    I have also attached my switch config. Any help would be greatly appreciated.
    Dan

    So im also doing ISE for the first time and i knew it may have been a bit tough however i didnt forsee my following issue.
    everything is working as expected other than every now and then (intermittent) the ISE Central Portal does not display on any device -android, windows, etc..... i checked and checked the configs, had probably about 10 TAC cases open..... this weekend i ripped out the main components, setup in the offfice and tried to replicate the issue....i could...what i noticed is that without Internet the ISE Portal didnt actually display....it sounds weird but thats what im seeing.....As soon as i plug into Internet Link into the equation, the portal page comes up.....im able to replicate it every time... Currently, i placed back into the customer network and im now looking down at the routing/firewall......
    my issue is that i cant really explain why the Internet affects the Central Auth Page.... In any event. im working backwards, tomorrow im bringing in a second link and doing NAT on a cisco router to bypass the checkpoint firewall....ill know if its checkpoint or if im barking up the wrong tree....
    if anyone can explain why, it would help out a great deal..
    My setup BTW is
    1. WLC 5760 - Not latest code but latest stable (recommended by the TAC Engineer)
    2. ISE 1.2 - Doing simple Wireless only implementation
    3. 3650 - Just acting like a switch - no ACLs etc - just a switch
    4. Integrated into AD
    Ill post back with any findings if i make any headway - BTW, i didnt like this at all as other solutions are so much simpler, BUT, i can now see how powerful this could potentially be for the right type of customer...
    thanks again how i can get some feedback

  • Cisco ISE inline posture node Posture assessment query

    Hi all,
    i read the user guide for the ISE 1.1 and in the Inline posture section, I picked up the following text which concerned me if I understand it right...
    "In a deployment, such as outlined in the example, when more endpoints connect to the wireless network
    they are likely to fall into one of the identity groups that already have authenticated and authorized users
    connected to the network.
    For instance, there may be an employee, executive, and guest that have been granted access through the
    outlined steps. This situation means that the respective restrictive or full-access profiles for those ID
    groups have already been installed on the Inline Posture node. The subsequent endpoint authentication
    and authorization uses the existing installed profiles on the Inline Posture node, unless the original
    profiles have been modified at the Cisco ISE policy configuration. In the latter case, the modified profile
    with ACL is downloaded and installed on the Inline Posture node, replacing the previous version."
    Does this mean that if a corporate user VPNs in and successfully passes posture and gets a dACL applied to the session allowing full access, will the next user completely skip posture assessment and granted full access to the network if they are a member of the same AD group?
    I am planning on using the iPEP for posturing VPN clients and using AD groups to determine the correct dACL to apply to a particular VPN session.
    Thanks!
    Mario

    I'm not too familiar with the actual operations of the Inline Posture node, but it seems to me that the only things that are more or less "cached" are the authentication and authorization profiles that have been previously matched. So, even if they're "cached" and a endpoint matches and authorizes based on those policies, it would match on the policy that provides a pre-posture state. So, a PRE-POSTURE ACL would be pushed and an URL redirect would also occur to the NAC agent download portal (if the endpoint doesn't have it already).
    After posture is assessed, a change of authorization would occur and reauthorize that endpoint's session.
    So, in short, even if the profiles are cached, they only deliver pre-posture profiles. After posture assessment, the endpoint is goes through reauth via CoA.
    If you have access to the partner education connection, I suggest checking out the VoE deep dive series for ISE. There's a posture presentation that would probably help you out.
    https://communities.cisco.com/docs/DOC-30977
    HTH,
    Ryan

  • ISE Posture Assessment

    Hi,
    While reading about ISE posture, I got to know that ISE searches” User Agent” attribute for string “NAC Agent” to confirm that NAC agent is present on particular machine.This information is passed to ISE when user opens Web Browser i.e. user gets redirected
    If NAC agent is not present on machine then NAC agent will get downloaded and then Posture assessment starts.
    While testing this on ISE, I noticed that
    If NAC agent is already present on machine then directly posture assessment starts even without opening web browser.
    Now my question is, how ISE does come to know that NAC agent is already present on machine without opening web browser.
    Regards,
    Aditya

    I second Richard on the fact that it can't be done. However, I was going through this and wanted to share in case it helps.
    Default Posture Status
    http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html#wp1919363
    Jatin Katyal
    - Do rate helpful posts -

  • ISE url-redirect CWA to Gig1

    Hello,
    say I want to have five ISE 1.3 nodes behind load balancer, I want only only G0 behind LB, and G1 interfaces will be dedicated for certain things. Specifically I want to use G1 interface for Redirected Web Portal access (could be CWA, device registration, NSP, etc). RADIUS auth will happen through LB on G0 of some specific PSN, and that PSN will url-redirect user to the CWA URL.
    How do I tell ISE to use specifically Gig1's IP address or Gig2's IP address? When I check result authorization profile, there is no option there, it's just ip:port. Obviously, that's not the right place, because which PSN is used to processed the policy is unpredictable.
    So then I go to guest portal, and specifically Self-Registered Guest Portal that I'm using. So here I see Gig0, Gig1, Gig2, and Gig3 listed. My guess is that if I only leave Gig1 selected then I will achieve my goal, is that correct?
    But then, why does it let me choose multiple interfaces, what happens if I select all of them?
    Am I missing another spot in ISE admin where I can control this?
    Additional question. I know that in ISE 1.2 you could configure "ip host" in ISE's CLI, which would force URL-redirect response to be translated to FQDN:port. Is that still the right method in ISE 1.3?
    Thanks!

    Take a look at the following document:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13.pdf
    Towards the end of the document you will find a section called: "Cisco ISE Infrastructure" and there you will see the following:
    • Cisco ISE management is restricted to Gigabit Ethernet 0.
    • RADIUS listens on all network interface cards (NICs).
    • All NICs can be configured with IP addresses.
    So, you can take an interface, give it an IP address and then assign it to the web portal that you are working with. 
    I hope this helps!
    Thank you for rating helpful posts!

  • ISE CWA FLEXCONNECT - No url redirect

    Hi,
    I'm setting up a LAB environment for CWA with ISE(1.2.1), vWLC(8.0.100), ASA5505(9.1.X) and a 2602 AP in flexconnect mode.
    Unfortunately I'm running into problems.
    The AP, WLC and ISE is all running in vlan 1 which terminates in the 5505 as a inside interface. 
    Vlan 2 is a guest network terminating on a separate interface in the ASA.
    The problem that I'm facing is that the url-redirect from the ISE dosent' work. If i check the client summery on the vWLC I can see that the client get applyes the redirect flexconnect ACL and that the URL is present. I've verified that it's not a DNS issue and I'm able to manually connect to ISE so there is no ACL blocking me. The client just dosen't get the redirect. I've tired with multiple devices (windows,ios,android) and it's all the same.
    I've followed the following guides:
    http://www.drchaos.com/flexconnect-local-switching-guestbyod/
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html#anc11
    Currently I'm at work but I can provide some debug output later. 
    Have anyone seen this behavior before?

    It is possible that you are hitting the following bug:
    https://tools.cisco.com/bugsearch/bug/CSCue68065
    One thing this bug does not mention is that there is another resolution outside of disabling local switching. The alternative is:
    1. Create a standar ACL on the controller that is named exactly as the FlexConnect ACLs
    2. The standard ACL does not have to have any ACE in it
    I have ran into this issue before and the above workaround has worked for me. The issue was supposed be addressed in version 8.x of the WLC but I think it is still worth giving it a try. 
    Thank you for rating helpful posts!

  • Does using self-signed cert. on ISE server has anthing to do with url redirect being not working

    Hi,
    I am setting up wired ISE environment. Everything is going fine, except url redirect is not working.
    I just wondering, if using self-signed certificate on ISE server has anothing to do with the problem ?.
    Appreciate your input.
    Thanks

    Hi,
    As long as you have not changed the hostname or the domain name (and dns is accurate). You should only receive the certificate warning but still get redirected without any issues.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ISE & Switch URL redirect not working

    Dear team,
    I'm setting up Guest portal for Wired user. Everything seems to be okay, the PC is get MAB authz success, ISE push URL redirect to switch. The only problem is when I open browser, it is not redirected.
    Here is some output from my 3560C:
    Cisco IOS Software, C3560C Software (C3560c405-UNIVERSALK9-M), Version 12.2(55)EX3
    SW3560C-LAB#sh auth sess int f0/3
                Interface:  FastEthernet0/3
              MAC Address:  f0de.f180.13b8
               IP Address:  10.0.93.202
                User-Name:  F0-DE-F1-80-13-B8
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-domain
         Oper control dir:  both
            Authorized By:  Authentication Server
               Vlan Group:  N/A
         URL Redirect ACL:  redirect
             URL Redirect:  https://BYODISE.byod.com:8443/guestportal/gateway?sessionId=0A005DF40000000D0010E23A&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A005DF40000000D0010E23A
          Acct Session ID:  0x00000011
                   Handle:  0xD700000D
    Runnable methods list:
           Method   State
           mab      Authc Success
    SW3560C-LAB#sh epm sess summary
    EPM Session Information
    Total sessions seen so far : 10
    Total active sessions      : 1
    Interface            IP Address   MAC Address       Audit Session Id:
    FastEthernet0/3       10.0.93.202  f0de.f180.13b8    0A005DF40000000D0010E23A
    Could you please help to explore the problem? Thank you very much.

    With switch IOS version later than 15.0 the default interface ACL is not required. For url redirection the dACL is not required as this ACL is part of traffic restrict for "guest" users.
    In my experiece some users can not get the redirect correctly because anti-spoof ACL on management Vlan or stateful firewall blocks the TCP syn ack.
    It is rare in campus network access layer switches have user SVI configured so the redirect traffic has to be sent from the netman SVI, but trickly the TCP SYN ACK from the HTTP server will be sent back from the netman Vlan without source IP changed. (The switch is spoofing the source IP in my understanding with changing only the MAC address of the packet). In most of the cases there should be a basic ACL resides on the netman SVI on the first hop router, where the TCP SYN ACK may be dropped by the ACL.
    tips:
    1. "debug epm redirect" can make sure your traffic matches the redirect url and will get intercepted by the switch
    2. It will be an ACL or firewall issue if you can see epm is redirecting your http request but can not see the SYN ACK from the requested server.
    Which can win the race: increasing bandwidth with new technologies VS QoS?

  • ISE Wired Central Web Authentication no url redirect

    We are setting up ISE for wired guest accest but are having trouble with the client being redirected.  The switch gets the download from ISE and shows that it should use the URL redirect with the correct ACL.
    ISEtest3560#show authentication sessions interface fastEthernet 0/2
                Interface:  FastEthernet0/2
              MAC Address:  001d.09cb.78bd
               IP Address:  Unknown
                User-Name:  00-1D-09-CB-78-BD
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
               Vlan Group:  N/A
                  ACS ACL:  xACSACLx-IP-ISE-Only-52434fbe
         URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
             URL Redirect:  https://REMOVED.Domain.corp:8443/guestportal/gateway?sessionId=0A0003E600000039064485B1&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A0003E600000039064485B1
          Acct Session ID:  0x00000293
                   Handle:  0x95000039
    Runnable methods list:
           Method   State
           dot1x    Failed over
           mab      Authc Success
    From the client pc I can get name resolution for anything I ping.  I also can ping the ise server by name.  The ACL that is downloaded it as follows:
    Extended IP access list xACSACLx-IP-ISE-Only-52434fbe (per-user)
        10 permit udp any eq bootpc any eq bootps
        20 permit udp any any eq domain
        30 permit ip any host 10.4.37.91
        40 deny ip any any log
    Extended IP access list ACL-WEBAUTH-REDIRECT
        10 deny udp any eq bootpc any eq bootps
        20 deny udp any any eq domain
        30 deny ip any host 10.4.37.91
        40 permit tcp any any eq www (13 matches)
        50 permit tcp any any eq 443
        51 permit tcp any any eq 8443
        60 deny ip any any
    The machine passes the Authentication with MAB and hits the CWA Authorization profile, ISE shows the cient as "Pending" then the next entry above that is the log is the dACL getting pushed to the switch.  Could part of the issue be that the device shows Unknown for IP address?  The command ip device tracking is in the swtich:
    ISEtest3560#show running-config | include tracking
    ip device tracking
    ISEtest3560#
    We have 802.1x clients working and the IP address for those do show up..
    Please advise,
    Thanks,
    Joe

    ISEtest3560#show ip access-lists interface fastEthernet 0/2       
    ISEtest3560#
    Doesn't appear the dacl is being applied. 
    interface FastEthernet0/2
    switchport access vlan 11
    switchport mode access
    ip access-group ACL-DEFAULT in
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 999
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication open
    authentication order dot1x mab webauth
    authentication priority dot1x mab webauth
    authentication port-control auto
    authentication violation restrict
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 10
    spanning-tree portfast
    spanning-tree guard root
    Extended IP access list ACL-DEFAULT
        10 permit udp any eq bootpc any eq bootps
        20 permit udp any any eq domain
        30 permit icmp any any
        40 permit udp any any eq tftp
        41 permit ip any host 10.4.37.91
        50 deny ip any any log (1059 matches)
    Could the dACL being causing the issue with the Unknown, or is the Unknow causing the issue with the dACL?
    Thanks,
    Joe

Maybe you are looking for