Cisco Cisco AnyConnect Secure Mobility Client v2.x Fehlerbehebungsanleitung
If you get redirected, you should collect the agent logs and ISE support bundle (with the posture and swiss
module to debug mode) and contact Cisco TAC. This indicates that the agent discovers an ISE node but
something fails during the process to obtain the posture data.
module to debug mode) and contact Cisco TAC. This indicates that the agent discovers an ISE node but
something fails during the process to obtain the posture data.
If no redirection happens, you have your first cause, which still requires further investigation of the root cause.
A good start is to check the configuration on the network access device (Wireless LAN Controller (WLC) or
switch) and move to the next item in this document.
A good start is to check the configuration on the network access device (Wireless LAN Controller (WLC) or
switch) and move to the next item in this document.
Attributes Are Not Installed on the Network Device
This issue is a subcase of the Redirection Does Not Happen scenario. If the redirection does not happen, the
first thing is to verify (as the problem occurs on a given client) that the client is correctly placed in the right
status by the switch or wireless access layer.
first thing is to verify (as the problem occurs on a given client) that the client is correctly placed in the right
status by the switch or wireless access layer.
Here is example output of the show authentication session int <interface number> command (you might
have to add detail at the end on some platforms) taken on the switch where the client is connected. You must
verify that the status is "Authz success", that the URL redirect ACL correctly points to the intended redirect
ACL, and that the URL redirect points to the expected ISE node with CPP at the end of the URL. The ACS
ACL field is not mandatory because it only shows if you configured a downloadable access list on the
authorization profile on ISE. It is, however, important to look at it and verify that there is no conflict with the
redirect ACL (see documents about posture configuration in case of doubt).
have to add detail at the end on some platforms) taken on the switch where the client is connected. You must
verify that the status is "Authz success", that the URL redirect ACL correctly points to the intended redirect
ACL, and that the URL redirect points to the expected ISE node with CPP at the end of the URL. The ACS
ACL field is not mandatory because it only shows if you configured a downloadable access list on the
authorization profile on ISE. It is, however, important to look at it and verify that there is no conflict with the
redirect ACL (see documents about posture configuration in case of doubt).
01−SW3750−access#show auth sess int gi1/0/12
Interface: GigabitEthernet1/0/12
MAC Address: 000f.b049.5c4b
IP Address: 192.168.33.201
User−Name: 00−0F−B0−49−5C−4B
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single−host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx−IP−myDACL−51519b43
URL Redirect ACL: redirect
URL Redirect: https://ISE2.wlaaan.com:8443/guestportal/gateway?
sessionId=C0A82102000002D8489E0E84&action=cpp
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A82102000002D8489E0E84
Acct Session ID: 0x000002FA
Handle: 0xF60002D9
Runnable methods list:
Method State
mab Authc Success
In order to troubleshoot a WLC that runs AireOS, enter show wireless client detail <mac address> and enter
show wireless client mac−address <mac address> detail in order to troubleshoot a WLC that runs Cisco
IOS−XE. Similar data displays and you must verify the redirect URL and ACL and if the client is in
"POSTURE_REQD" state or similar (it varies depending on the software version).
show wireless client mac−address <mac address> detail in order to troubleshoot a WLC that runs Cisco
IOS−XE. Similar data displays and you must verify the redirect URL and ACL and if the client is in
"POSTURE_REQD" state or similar (it varies depending on the software version).
If attributes are not present, you must open the authentication details in the ISE of the client you were
troubleshooting (navigate to Operations > Authentications) and verify in the Result section that the
redirection attributes were sent. If they were not sent, you should review the authorization policy to
understand why the attributes were not returned for this particular client. Probably, one of the conditions did
troubleshooting (navigate to Operations > Authentications) and verify in the Result section that the
redirection attributes were sent. If they were not sent, you should review the authorization policy to
understand why the attributes were not returned for this particular client. Probably, one of the conditions did