Cisco Cisco Identity Services Engine 1.0.4 故障排查指南
Scenario 6 − Destination Host is in Different VLAN, Does Not Exist, and is SVI 10 DOWN
This scenario is exactly the same as Scenario 5. It does not matter that the remote host exists. The correct
routing is what is important.
routing is what is important.
Scenario 7 − HTTP Service is Down
As presented in Scenario 6, the HTTP process on the switch plays an important role. If the HTTP service is
disabled, EPM shows that the packet reaches the redirect ACL:
disabled, EPM shows that the packet reaches the redirect ACL:
epm−redirect:IP=192.168.1.201: Ingress packet on [idb= GigabitEthernet1/0/2] matched
with [acl=REDIRECT_POSTURE]
However, the redirection never occurs.
The HTTPS service on the switch is not required for a HTTP redirect, but it is required for HTTPS redirect.
The NAC Agent can use both for ISE discovery. Therefore, it is advised to enable both.
The NAC Agent can use both for ISE discovery. Therefore, it is advised to enable both.
Redirect ACL − Incorrect Protocols and Port, No Redirection
Notice that the switch can only intercept HTTP or HTTPS traffic that works on standard ports (TCP/80 and
TCP/443). If HTTP/HTTPS works on a nonstandard port, it can be configured with the ip port−map http
command. Also, the switch must have its HTTP server listen on that port (ip http port).
TCP/443). If HTTP/HTTPS works on a nonstandard port, it can be configured with the ip port−map http
command. Also, the switch must have its HTTP server listen on that port (ip http port).
Related Information
Central Web Authentication with a Switch and Identity Services Engine Configuration Example
•
Cisco Identity Services Engine User Guide, Release 1.2
•
Technical Support & Documentation − Cisco Systems
•
Updated: Jan 30, 2014
Document ID: 117278