The right ACL-POSTURE-REDIRECT in ISE

Similar Messages

• ISE posture redirect not working

  ISE v1.1.0.665, 3395 h/w.
  Single Admin/Monitor/Policy node.
  WS-C3560-48TS      12.2(55)SE5           C3560-IPBASEK9-M
  For Client Provisioning I created an authorisation policy as follows:
  download acl "ACL-POSTURE-REMEDIATION"
  apply url redirect "ACL-POSTURE-REDIRECT".
  "Debug radius" shows all this is downloaded to the switch but:
  - Redirect does not work.
  - dACL is not applied if the URL redirect is also configured.
  Wireshark on the client shows no direct.
  Attached file shows "debug radius" for various combinations of authorisation policy i.e. dACL only, Redirect only, dACL + Redirect.
  I've also attached screen shots of these policies and wireshark.

  Grant,
  It looks like you are changing the vlan after your client gets an ip address, it seems like the client gets an ip address of
  192.168.16.164 and you are changing the vlan over to 516. I wanted to know if that is there isnt an ip to vlan mismatch before you move forward. If 516 is quarantine vlan you may want to start all clients on that vlan and use dynamic vlan assignment through change of authorization once a client becomes compliant. The reason is is that you can use the web portal, or the nac agent to change the ip address once the vlan is changed.
  Thanks,
  Tarik Admani

• Is it possible to redirect the right people to the payement page ?

  Is it possible to redirect to the payment page only people who responded to the right question in the form ?

  The form will re-direct to Paypal if any of the "purchase fields" set up on the "Collect Payments" tab have been filled out. 
  If you want to provide users with an option to fill out purchase related fields but to do something like mail a check versus Paypal you could do something with "Show/Hide" logic where you have a question up front about Payment method and if the user chooses non-Paypal you show a set of fields that are not connected to the Paypal stuff on the "Collect Payments" tab, and if they choose Paypal then it shows a duplicate set of fields that are connected to Paypal.
  These posts might be helpful in setting this up:
  http://forums.adobe.com/message/5320518#5320518
  http://forums.adobe.com/message/4399918#4399918
  Thanks,
  Josh

• Hi everyone, not sure if this is the right forum to ask this question, however any redirect is appreciated. Where can I get the download for the latest old mozilla browser. The one with the dinosaur icon before the browser turned firefox. Thanks, Jen

  Hi everyone
  Not sure if this is the right forum to ask this question, however any redirect is appreciated. Where can I get the download for the latest old mozilla browser. The one with the dinosaur icon before the browser turned firefox. Thanks, Jen

  Phoenix and Firebird were what Firefox was called before Firefox was settled on in 2004, and both used "birds" as the logo. IIRC, the dinosaur was used in the Mozilla Suite.
  Here are the earliest versions of the Mozilla Suite. <br />
  http://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/
  I hope this request for a historical purposes of where Mozilla came from, because those old versions aren't safe to use on the internet any longer.

• Active field empty but able to redirect toword the right G/L Account

  Hello everybody,
  There is something I hardly understand with the Goods Receipt PO.  When I do the copy from PO every fields getting the right value safe the G/L Account column who appear empty, even if I set that back in the PO.
  So I tried to update it manually in the Form properties, but even if I select the right Warehouse and Account.  The system ask me if I want the update the rowa, I say yes.  But the G/L Account stay empty and show an arrow who redirect to the G/L Account no I chose.  But whatever I do that field stay empty.  I don't get it, sometime it workds sometime not.  It depends on the item...
  What should I do ?

  Never mind, I  found it.  There are  so much options to chose that I forgot to set the accounting by warehouse...

• 5760 v3.6 guest portal redirect to ISE

  I'm testing a new set of 5760 controllers for a future production rollout, running software version 3.6.  Our current production setup consists of older WISM-1 and 4402 controllers running CUWN 7.0.  Our guest network has an anchor in the DMZ, redirecting to ISE.
  In the recent thread (https://supportforums.cisco.com/discussion/12319151/3850-ise-guestportal-no-redirect-v-334), one of the posters said that guest redirection in 3.6 works similarly to redirection in CUWN, while in 3.3 it is very different.  I found the documentation for 3.3 (http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117717-config-wlc-00.html), which I have to say I don't like very much.  However, I find the configuration and command reference guides for 3.6 are less than helpful on this point. 
  So the question I have is whether guest networking with an external redirect to ISE looks like the following in 3.6?  Or does it work like CUWN, where the SSID is configured with layer 3 security?  If it uses layer 3 security like CUWN, does anybody have a quick configuration sample for how it can work end to end in 3.6?
  ------ From the document http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117717-config-wlc-00.html ---------
  The flow includes these steps:
  The user associates to the web authentication Service Set Identifier (SSID), which is in fact open+macfiltering and no Layer 3 security.
  The user opens the browser.
  The WLC redirects to the guest portal.
  The user authenticates on the portal.
  The ISE sends a RADIUS Change of Authorization (CoA - UDP Port 1700) in order to indicate to the controller that the user is valid, and eventually pushes RADIUS attributes such as the Access Control List (ACL).
  The user is prompted to retry the original URL.

  I have a project with a 5760 running 3.6 working to a 5508 anchor controller in a DMZ.
  I have web authentication working to an ISE OK.
  Regards
  Roger

• BYOD Onboarding issue with Redirects on ISE 1.2

  Hi there,
  I'm having intermittent issues with onboarding endpoints (both wired and wireless) with ISE 1.2 (Patch 12).
  I get three differing scenarios upon attempting:
  1). I get redirected to the ISE Self Registration Portal, register, download the supplicant OK and then can browse with no problems.
  2) I dont get redirected at all and so never see the Self Registration portal. All browsing tries to go to the selected website and fails (presumably as the redirect URL is in place even if the browser is not "seeing" it). If I force the browser URL to to ISE I get the Self Registration Portal displayed but with no MAC details present so I can get no further.
  3) I get redirected, and seemingly Register OK, download the profiles etc...but after a "Registered Sucessfully" message, any attempt to browse to external website is again redirected to the Portal. I can then re-register again (it lets me do that as if the first time) but I just end up in that loop forever.
  These problems are mostly seen wirelessly (I have a WLC 5508) but also wired clients via 3850 wired ports. I am using a collection of endpoints (Andorid, IPads, Laptops) to test and de-registering them between attempts and the results are entirely random among the three scenarios.
  I am not changing any policies in between attempts so they are working fine at times, and not at others.
  Any help welcome!

  Hi Neno,
  Thanks for your reply. I have attached some info as requested. For AuthZ rules they should first hit an EAP-MSCHAPv2 rule via the secure SSID which redirects them to the NSP process and gives them an ACL on the WLC that only allows DHCP, DNS and traffic to from ISE.
  Afterward registration they should then get a certificate and then after a COA reauthenticate using EAP-TLS.
  All this works fine at times, but at other times Web traffic NEVER gets redirected to ISE to begin the registration process or alternatively endpoints are STUCK in a circle of registration in that the th redirect works OK and you register OK but the redirect is permanently on and you keep getting asked to re-register your device despite the fact you have already done it once.
  If you can avoid either of these scenarios, it works absolutely fine. It feels like the endpoints themselves are the issue, as I am using a small set of test devices to register (and then de-register) to test with.
  However the same device that wont work at all for many many attempts, will eventually suddenly work OK and the BYOD process completes. I do however seem to have a permanent problem with Surface Pro's in that I can never get them to see the redirect at all.

• CWA over wireless, timeout when redirecting to ISE guestporal

  I configurated CWA following this guide https://supportforums.cisco.com/docs/DOC-26442
  And I apply a redirect-acl to allow traffic between endpoint and ise with dns allowed too.
  I use a static vlan on interface. And there is no vlan change after auth.
  Now endpoint can be redirected to ise node url, but visit timed out.
  Clients > Detail shows redirect-acl and redirect-url.
  Anyone here have some ideas?

  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf
  Kindly find the steps on the page no. 821

• When I click on a tab in the toolbar the tab flies off the screen to the right. Suddenly after using firefox for years I cannot load any pages

  I'm using Windows XP. I've used Firefox for years but in recent weeks I've had the following problem. When I endeavour to open an internet site the tab appears in the toolbar at the bottom of the screen instead of loading the page. When I click on the tab it appears to fly across the right of screen and disappears from view. Fortunately we've left an internet page OPEN so that we can redirect our search via that. Today we had a power cut and now I cannot get Firefox to load anything. At the moment I'm using Explorer to write this. We've made no changes to our system and we're continuing to use the same virus checker we're had for years. (Kaspersky)
  One last point. When I try to load any site in Links the tab changes to the correct name but then flies off as I've previously mentioned. When I right click on the tab and choose Max or Min I have no reaction. I've tried rebooting the computer and turning it off but this does not fix the problem. I've also uninstalled Firefox and reinstalled the latest version all to no avail. Please, can someone help? Micam

  Start Firefox in <u>[[Safe Mode|Safe Mode]]</u> to check if one of the extensions or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox/Tools > Add-ons > Appearance/Themes).
  *Don't make any changes on the Safe mode start window.
  *https://support.mozilla.org/kb/Safe+Mode
  *https://support.mozilla.org/kb/Troubleshooting+extensions+and+themes

• Help with Managing sub accounts and The page isn't redirecting properly

  Anytime I try to make a new sub account, and I click on "Sub Accounts" I get this error:
  The page isn't redirecting properly
  Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
      *   This problem can sometimes be caused by disabling or refusing to accept
            cookies.
  Before you ask, I'm a bit of a PC geek, I tried in both FF and IE8, same result, checked cookie settings, and they are NOT disabled etc.
  Any ideas?      
  Solved!
  Go to Solution.

  Cookies are normal. The only exceptions are for SU.
  I found a way to manage the sub accounts. Through Yahoo. Which is completely asinine. Why do I have to go to Yahoo's page when IT'S RIGHT IN MY VERIZON!?
  I wish I could "unbrand" my dsl service.

• The web pages are not centered, they are way over to the right and so not only can I not see the page, I can't see the scroll bar or web address.

  It is like the page shrinks up and moves way over to the right hand corner and I can't pull it back. I tried mini and maxi -ing the screen ... nothing works!!!
  I cant' move the page down to see what the directions are for this box so I am typing this and hoping for the best. Sometimes the arrows will scroll down and other times not.

  Hi Mike ...
  If you haven't tried a different DNS, OpenDNS may help.
  Use OpenDNS for better speed, more security, includes anti phishing filters, prevents browser redirects, it's free and Apple suggests it here >  Safari 5.0.1 or later: Slow or partial webpage loading, or webpage cannot be found
  Open System Preferences / Preferences then select the Network tab. Click the Advanced tab then click the DNS tab.
  Click +
  Enter these addresses exactly as you see them here.
  208.67.222.222
  Click +
  208.67.220.220
  Then click OK.
  Quit then relaunch Safari to test.
  Mike, empty the Safari cache more often. From your Safari menu bar click Safari > Empty Cache

• Am I building the right number of pages ?

  Hi Everybody, It is my first time here and actually I'm building my very first site. This site will be a portifolio of my jobs. As I'm a multimidia man .. lol and I'm not a teenager ... more lol , I have a lot of jobs to show.
  I do graphic design, illustrations, advertising and recently I'm developing a new task to join to all of it, working with video. I want to go beyond the static images.
  So I decided to build a website to promote myself. I started making the website with iWeb because I do all my work with Macs and I have no intentions in change plataforms for a website.
  I already started and of course the problems and doubts as well. I've already divided the Main menu in 4 "places": Design, Advertising, Illustration and Video. Each one I will divide by clients and in each client I'm planning to put 3 or 4 jobs.
  I already have the Design divided in 12 clients, then I realize the number of pages that I will have in the end of all. I started doubting if I was doing the right thing and run to the internet to read someones experience and I found at the Apple Discussion forum these posts:
  "Hello, whenever I create a page in iWeb 08, it creates a corresponding title in the main menu of the website. Is there a way how to create a page and not to have it in the main menu? I want to link these pages myself...
  For instance I want to have a folder full of 300 pages which I would link manually to a list of 300 titles in a text on a single page which does appear in the main menu.
  I am not using MobileMe."
  ... and the answer of a person:
  "If you want to have Page 2 of Site 2 be in the navbar of Site 1 add a blank page in Site one and name it the same as Page 2 of Site 2. Then in that page add an HTML snippet with the following code:
  <script type="text/javascript">
  parent.window.location = "URL TO PAGE 2 OF SITE 2"; </script>
  This will immediately redirect the visitor from the "dummy" page 2 in Site 1 to Page 2 in Site 2. In order to get the URL of Page 2 you will have to first publish Site 2, visit it and get the URL that way.
  This will allow you to move between sites from the navbar in each site as if it were all one large site.
  My Demo Sites are setup this way. The Contents page for each site is redirected to a separate Contents site which contains the index of all the pages in the three demo sites. That way I only have to change the index on the Contents site instead of doing it for each site individually."
  I'm wondering if I'm doing anything wrong and more,,, if there is anything that I could do to have less pages and more navigability.
  Thanks and sorry for the long post.

  I'm wondering if I'm doing anything wrong
  Are you saying the redirect isn't working or is there a better way than using a redirect?
  Another way would be to put all the pages into one site but not necessarily have them all in the default navbar. You could have just the following three title pages in the overall navbar: Design, Illustrations and Advertising.
  In each of those title pages you create your own hyperlinks to the pages that would support that area of your expertise. Those supporting pages would not have the default navbar shown but have a Text Based Navbar or just separate hyperlinks to link those common pages to each other and back to the title page.
  See Roddy's Re: Sub Menus/Sub Pages in iWeb09 for more on the subject. This site also has info on that: http://iwebfaq.org/site/iWebNavigationmenu.html.

• Inline Posture between Cisco ISE and Wireless LAN Controller

  Hi,
  I was looking into Cisco ISE solution for deploying NAC.
  I have a question about the network topology.
  In  the user guide documents of cisco ISE, it is written that for Wireless  LAN Controllers (WLC) and VPN devices, an additional server, Inline Posture, is needed.
  However, in the following integration document, there is not an inline posture between WLC and Cisco ISE server.
  https://supportforums.cisco.com/docs/DOC-18121
  I  want to know if Inline Posture is a requirement, if not a  requirement, what are the benefits of having it between Cisco ISE Server  and WLC.
  Thanks & Regards
  Sinan

  Hello,
  Please go through below mentioned links which might be helpful for you.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html
  http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_deploy.html
  Best Regards,

• Has anyone seen the new 'killing hazard' redirect virus/trojan?

  I have been getting since 9/26 a new redirect-style virus/trojan. It masquerades as a "popup" antivirus. Any attempt to kill the popup (click on the right-corner exit, etc) starts the virus-scanning operation of the fake anti-virus. I have flagfox, which says that the page is chinese. I must kill Firefox to eliminate the page. I have run malwarebytes with a completely updated database, with no malware detected.
  Full text for the popup window
  Warning!
  On your computer detected the malicious code.
  Should immediately make sure that your system is safe! Killing Hazard (R) for Microsoft Windows XP immediately started to work

  I had the same problem and found out that the virus changed my router's settings: instead of the correct setting DNS Address "Get Automatically from ISP", the virus changed it to a specific DNS server: 213.109.69.44
  I realized that something must be wrong with my router when all my devices (including my iPhone) were being redirected to the fake anti-virus web page when connecting to the internet through that router.

• Pressing on top casing to the right of TP clicks

  just wondering if any one else experiences this, but if i press to the side of the TP on the top casing it clicks the mouse (it seems easier to do on the right a little), i have to press pretty firmly but if im typing (with my terrible posture) i can put enough pressure to click.
  i usually use a mouse so its not a big deal and i didnt really realize it or notice it happening until i was using my MBP with an air board under it at a lower level than me so im more above it.
  is that just how it is or should i take it in?
  -matt

  hello, this is a displaying flaw caused the mcafee site advisor extension - please try to disable or remove that in case you have it present until there is an update by mcafee that can fix the problem.
  http://service.mcafee.com/faqdocument.aspx?id=TS100162
  https://community.mcafee.com/thread/76071