Solved: ISE POSTURE POPPING UP BROWSER AND REDIRECTING TO CPP NOT DESIRED

kajibola · ‎09-04-2017

I am deploying ISE for a client and they complaint about web browser popping up and redirecting to Clients Provisioning Portal (CPP) on user’s PC during posture. Although, it doesn’t require any user interaction/intervention but it is not desired.

What can be done to ensure posture stop’s popping up client’s browser and redirecting to CPP?

paul · ‎09-05-2017

By removing the CPP redirect you are probably breaking posturing for clients that haven’t postured before. Read up on how posture discovery works in order to understand why the CPP redirect is there and how the ACL on the switch to redirect plays into posture discovery. The sequence for discovery is:

1. http discovery probe on port 80 to default gateway if no discovery host

2. http discovery probe on port 80 to discovery host, if configured (via HTTP Redirect)

3. https discovery probe on port 8905 to discovery host, if configured

4. http discovery probe on port 80 to default gateway (via HTTP Redirect)

5. https reconnect probe on port 8905 to previously contacted ISE Policy Services node

You are probably working because you are hitting step 5 and have a previous PSN you reported posture to. New clients won’t have that and they will fail discovery and get “no policy server found” most likely.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

View solution in original post

paul · ‎09-04-2017

Change your redirect ACL on the switch. Assuming you don't need ISE to install the AnyConnect Posture Module (which you really shouldn't) then you don't need to redirect all traffic to the client provisioning portal. You really only need to redirect port 80 to the default gateway to allow posture module discovery to work. You can use a DACL to block the traffic you want preposture.

kajibola · ‎09-05-2017

Thanks Paul.

I did not understand your solution very well hence couldn't get it to work.

What I did was to disable CPP on the authorization policy for posture. In-as-much that Anyconnect is already installed and they don't need anyconnect installation through browser, that solves the issue.

paul · ‎09-05-2017

By removing the CPP redirect you are probably breaking posturing for clients that haven’t postured before. Read up on how posture discovery works in order to understand why the CPP redirect is there and how the ACL on the switch to redirect plays into posture discovery. The sequence for discovery is:

1. http discovery probe on port 80 to default gateway if no discovery host

2. http discovery probe on port 80 to discovery host, if configured (via HTTP Redirect)

3. https discovery probe on port 8905 to discovery host, if configured

4. http discovery probe on port 80 to default gateway (via HTTP Redirect)

5. https reconnect probe on port 8905 to previously contacted ISE Policy Services node

You are probably working because you are hitting step 5 and have a previous PSN you reported posture to. New clients won’t have that and they will fail discovery and get “no policy server found” most likely.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

kajibola · ‎09-05-2017

Thanks.

I have never tried with a PC that have never contacted ISE before to see if the process will be broken.

The initial solution you give which is redirecting only traffic to port 80 and using DACL to block the traffic I don't want pre-posture doesn't work.

Any suggestion?

paul · ‎09-05-2017

Not redirecting all port 80 traffic only port 80 traffic to the default gateway. So say your customer’s network is a 10.x.x.x network and their default gateways are .1. Your posture redirect ACL can look like this:

ip access-list extended POSTURE-REDIRECT

permit tcp any 10.0.0.1 0.255.255.0 eq 80

That will only redirect port 80 to the DGs. Then your DACL can allow the required access you want before posture is assessed. I believe the DACL is applied before the redirect so a DACL like this should work at a minimum:

permit udp any any eq domain

permit tcp any 10.0.0.1 0.255.255.0 eq 80

permit ip any host

etc. to permit traffic to the PSNs

deny ip any any

Not sure what you are blocking in your posture unknown state currently. Blocking too much in the unknown state can break a lot of things.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

kajibola · ‎09-06-2017

@Paul, your solution works. Thanks.

kajibola · ‎09-27-2017

Hello Paul,

Once again thanks for the solution, it works perfectly well for the wired deployment.

I want to confirm if you have ever implemented it for wireless deployment using the WLC Posture Redirect ACL and Airespace ACL also.

I am also planning to implement it on wireless but not yet available to go to site.

howon · ‎09-06-2017

Try permitting (Not redirecting traffic) for the captive portal detection packet. It depends on the OS but different vendors have different ways to test the network to see if there is a captive network like guest portal that is waiting for user interaction. Typically the OS sends a test packet to a predefined site and see if it gets expected response. If something other than expected response is received then it opens a browser window as it thinks there is a guest portal waiting for user interaction. In general this is not an issue, but ISE posture may take longer than the captive portal test interval which may cause the OS browser to popup.

- MS: http://www.msftncsi.com/ncsi.txt

- Apple: http://captive.apple.com/hotspot-detect.html

- Google: http://www.gstatic.com/generate_204

You just need to find out what IP the host maps to and allow http to the host in the redirect ACL for posture. This will prevent the browser pop-up during posture.

Hosuk