Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
348
Views
0
Helpful
3
Replies

ISE dot1x working BUT ..... client is getting "PROXY SERVER unreachable"

game123
Level 1
Level 1

‎11-13-2014 08:19 PM - edited ‎03-10-2019 10:10 PM

Dear Experts,

 

From ISE 2.x I am able to ping the proxy server but once windows user authenticated and logs in, he cannot go to the internet and gets proxy error.

 

 

 

Let me know some points and vectors to look into !!!

 

 

waiting.

 

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎11-13-2014 09:44 PM

Hmm, once you are authenticated, ISE is sort of out of the picture. Are you returning a dACL (wired) or referencing some sort of an ACL on the WLC (Wireless)?

 

Thank you for rating helpful posts!

0 Helpful

game123
Level 1
Level 1
In response to nspasov

‎11-13-2014 11:17 PM

Dear Neno

Thanks for your reply, I am using wired network. 

yes i am using DACL for testing purpose i am using permit ip any any.  

and even i can see that ACL on  on switch side with below command

show auth sess int gig0/19

 

But the problem is that when i am trying to open any web page it is showing proxy server unreachable.

Is any thing we have to do on Cisco ISE to redirect that traffic ?

  

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to game123

‎11-13-2014 11:34 PM

The only time ISE would perform traffic redirection is when you doing things like CWA (Central Web Authentication), Posture Assessment, etc. If you are just doing basic dot1x/mab authentication then ISE just decides who gets on the network and what type of access that person/devices gets. 

With that being said, what happens if you remove dot1x authentication from the port? Can the client reach ISE then? (you can quickly remove dot1x by issuing no authentication port-control auto)

Other things to try:

1. Remove the dACL

2. In the authorization rule, return the default "permit access"

3. Remove the ACL on the FW

4. Anything else that might be affecting the connection

With the process of elimination you should be able to find the root cause of the issue

 

Thank you for rating helpful posts! 

0 Helpful
Customers Also Viewed These Support Documents