Cisco Cisco Identity Services Engine 1.0.4 故障排查指南

Tests are performed on the client, which should be redirected to ISE for provisioning (CPP). The user is
authenticated via MAC Authentication Bypass (MAB) or 802.1x. ISE returns the authorization profile with
the redirect Access Control List (ACL) name (REDIRECT_POSTURE) and redirect URL (redirects to ISE):

bsns−3750−5#show authentication sessions interface g1/0/2

Interface: GigabitEthernet1/0/2

MAC Address: 0050.5699.36ce

IP Address: 192.168.1.201

User−Name: cisco

Status: Authz Success

Domain: DATA

Security Policy: Should Secure

Security Status: Unsecure

Oper host mode: single−host

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: 10

ACS ACL: xACSACLx−IP−PERMIT_ALL_TRAFFIC−51ef7db1

URL Redirect ACL: REDIRECT_POSTURE

URL Redirect: https://10.48.66.74:8443/guestportal/gateway?sessionId=

C0A8000100000D5D015F1B47&action=cpp

Session timeout: N/A

Idle timeout: N/A

Common Session ID: C0A8000100000D5D015F1B47

Acct Session ID: 0x00011D90

Handle: 0xBB000D5E

Runnable methods list:

Method State

dot1x Authc Success

The Downloadable ACL (DACL) permits all traffic at this stage:

bsns−3750−5#show ip access−lists xACSACLx−IP−PERMIT_ALL_TRAFFIC−51ef7db1

Extended IP access list xACSACLx−IP−PERMIT_ALL_TRAFFIC−51ef7db1 (per−user)

10 permit ip any any

The redirect ACL allows this traffic without redirection:

All traffic to the ISE (10.48.66.74)

•

Domain Name System (DNS) and Internet Control Message Protocol (ICMP) traffic

•

All other traffic should be redirected:

bsns−3750−5#show ip access−lists REDIRECT_POSTURE

Extended IP access list REDIRECT_POSTURE

10 deny ip any host 10.48.66.74 (153 matches)

20 deny udp any any eq domain

30 deny icmp any any (10 matches)

40 permit tcp any any eq www (78 matches)

50 permit tcp any any eq 443

The switch has a SVI in the same VLAN as the user:

interface Vlan10

ip address 192.168.1.10 255.255.255.0

In the next sections, this is modified in order to present the potential impact.