Cisco Cisco Identity Services Engine 1.0.4 Guía Para Resolver Problemas
Tests are performed on the client, which should be redirected to ISE for provisioning (CPP). The user is
authenticated via MAC Authentication Bypass (MAB) or 802.1x. ISE returns the authorization profile with
the redirect Access Control List (ACL) name (REDIRECT_POSTURE) and redirect URL (redirects to ISE):
authenticated via MAC Authentication Bypass (MAB) or 802.1x. ISE returns the authorization profile with
the redirect Access Control List (ACL) name (REDIRECT_POSTURE) and redirect URL (redirects to ISE):
bsns−3750−5#show authentication sessions interface g1/0/2
Interface: GigabitEthernet1/0/2
MAC Address: 0050.5699.36ce
IP Address: 192.168.1.201
User−Name: cisco
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single−host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 10
ACS ACL: xACSACLx−IP−PERMIT_ALL_TRAFFIC−51ef7db1
URL Redirect ACL: REDIRECT_POSTURE
URL Redirect: https://10.48.66.74:8443/guestportal/gateway?sessionId=
C0A8000100000D5D015F1B47&action=cpp
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8000100000D5D015F1B47
Acct Session ID: 0x00011D90
Handle: 0xBB000D5E
Runnable methods list:
Method State
dot1x Authc Success
The Downloadable ACL (DACL) permits all traffic at this stage:
bsns−3750−5#show ip access−lists xACSACLx−IP−PERMIT_ALL_TRAFFIC−51ef7db1
Extended IP access list xACSACLx−IP−PERMIT_ALL_TRAFFIC−51ef7db1 (per−user)
10 permit ip any any
The redirect ACL allows this traffic without redirection:
All traffic to the ISE (10.48.66.74)
•
Domain Name System (DNS) and Internet Control Message Protocol (ICMP) traffic
•
All other traffic should be redirected:
bsns−3750−5#show ip access−lists REDIRECT_POSTURE
Extended IP access list REDIRECT_POSTURE
10 deny ip any host 10.48.66.74 (153 matches)
20 deny udp any any eq domain
30 deny icmp any any (10 matches)
40 permit tcp any any eq www (78 matches)
50 permit tcp any any eq 443
The switch has a SVI in the same VLAN as the user:
interface Vlan10
ip address 192.168.1.10 255.255.255.0
In the next sections, this is modified in order to present the potential impact.