Cisco Cisco Identity Services Engine 2.1 Manual Técnica
Advanced features like Guest, Posture and Bring Your Own Device (BYOD) in modern networks,
require direct communication between client device and AAA server. In previous ISE versions this
was accomplished by sending a dynamic redirect URL and Access Control List (ACL) to the NAD.
require direct communication between client device and AAA server. In previous ISE versions this
was accomplished by sending a dynamic redirect URL and Access Control List (ACL) to the NAD.
There are two mandatory attributes that are sent in an authorization profile for redirection in
attribute-value paris (AVs):
attribute-value paris (AVs):
Cisco AV pair – Redirect URL: The URL value is dynamic and it is created for each session.
The important parts of redirect URL are Policy Service Node Fuly Qualified Domain Name
(PSN FQDN) and Session ID.
The important parts of redirect URL are Policy Service Node Fuly Qualified Domain Name
(PSN FQDN) and Session ID.
●
Cisco AV pair – Redirect ACL: This AV pair contains an ACL name that must exist on the
NAD. With the help of this ACL, the NAD decides if the packets should be redirected or
allowed through the NAD.
NAD. With the help of this ACL, the NAD decides if the packets should be redirected or
allowed through the NAD.
●
Traditional redirection approach can only be implemented with Cisco NAD devices. For third party
NAD support, static URL redirection had been added in ISE 2.0. While this approach is more
platform independent, it still requires HTTP redirection support on the NAD.
NAD support, static URL redirection had been added in ISE 2.0. While this approach is more
platform independent, it still requires HTTP redirection support on the NAD.
Starting with ISE 2.1 a new style of redirect has been added. This approach does not require
HTTP redirection support on the NAD. The main idea behind this method is to use the ISE as a
DNS sinkhole.
HTTP redirection support on the NAD. The main idea behind this method is to use the ISE as a
DNS sinkhole.
DNS and DHCP server functionality have been added to the ISE 2.1 release in order to use it as a
DNS sinkhole. Now ISE server can assign IP addresses to the users that need to be redirected
and define itself as a DNS server. This allows ISE to redirect user connections to itself without any
web server functionality on the NAD. However, the NAD should still support Change of
Authorization (COA) and dynamic VLAN assignment.
DNS sinkhole. Now ISE server can assign IP addresses to the users that need to be redirected
and define itself as a DNS server. This allows ISE to redirect user connections to itself without any
web server functionality on the NAD. However, the NAD should still support Change of
Authorization (COA) and dynamic VLAN assignment.
In ISE, this approach can be used for these redirection flows:
Guest flow: The ISE answers to any DNS request initiated by the user with its own IP address.
This response causes the client to establish an HTTP connection with ISE. In this connection,
ISE returns the redirect URL using the standard HTTP code 302 page moved.
This response causes the client to establish an HTTP connection with ISE. In this connection,
ISE returns the redirect URL using the standard HTTP code 302 page moved.
●
BYOD/Posture (Anyconnect only) – in both scenarios, the Native Supplicant Provisioning
(NSP) application or Anyconnect Posture module initiates a connection to enroll.cisco.com,
which gets redirected to ISE using the same steps as guest flow.
(NSP) application or Anyconnect Posture module initiates a connection to enroll.cisco.com,
which gets redirected to ISE using the same steps as guest flow.
●
Packet Flow