Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ISE posture redirect not working

ISE v1.1.0.665, 3395 h/w.

Single Admin/Monitor/Policy node.

WS-C3560-48TS      12.2(55)SE5           C3560-IPBASEK9-M

For Client Provisioning I created an authorisation policy as follows:

download acl "ACL-POSTURE-REMEDIATION"

apply url redirect "ACL-POSTURE-REDIRECT".

"Debug radius" shows all this is downloaded to the switch but:

- Redirect does not work.

- dACL is not applied if the URL redirect is also configured.

Wireshark on the client shows no direct.

Attached file shows "debug radius" for various combinations of authorisation policy i.e. dACL only, Redirect only, dACL + Redirect.

I've also attached screen shots of these policies and wireshark.

Everyone's tags (1)
1 REPLY

ISE posture redirect not working

Grant,

It looks like you are changing the vlan after your client gets an ip address, it seems like the client gets an ip address of

192.168.16.164 and you are changing the vlan over to 516. I wanted to know if that is there isnt an ip to vlan mismatch before you move forward. If 516 is quarantine vlan you may want to start all clients on that vlan and use dynamic vlan assignment through change of authorization once a client becomes compliant. The reason is is that you can use the web portal, or the nac agent to change the ip address once the vlan is changed.

Thanks,

Tarik Admani

Tarik Admani *Please rate helpful posts*
1993
Views
0
Helpful
1
Replies