topic Re: Firewall ports to open for Guest WebAuth with ISE 2.3 Inside in Network Access Control

Firewall ports to open for Guest WebAuth with ISE 2.3 Inside

roger perkin — Fri, 21 Feb 2020 18:40:00 GMT

I am setting up a Guest Sponsor Portal, with ISE 2.3 which is hosted on the Internal network.

I am dropping my guest wireless users in the DMZ and need to open the appropiate firewall ports on the firewall to make this work.

Can anyone point me to any good resources or advise what ports need to be opened each way?

Thanks

Roger

Re: Firewall ports to open for Guest WebAuth with ISE 2.3 Inside

jan.nielsen — Wed, 22 Nov 2017 20:37:29 GMT

If you didn't change the default port for guest portals, it's port tcp/8443 towards all your PSN nodes.

Re: Firewall ports to open for Guest WebAuth with ISE 2.3 Inside

roger perkin — Wed, 22 Nov 2017 20:42:22 GMT

I only have one ISE instance and that is running all personas and is hosted on the Internal network.

I have guest wireless users being dropped into the DMZ

So what ports need to be opened to allow this guest user to hit the web portal and get authenticated?

i assume they get dropped into DMZ and hit the WebAuth ACL and can only see ISE

Just a bit confused about that being internal and client in DMZ

I do not plan to put a PSN in the DMZ

Thanks

Re: Firewall ports to open for Guest WebAuth with ISE 2.3 Inside

ajc — Wed, 22 Nov 2017 22:02:57 GMT

Based on your WLC Preauth ACL, check if you are allowing traffic from Enduser/WLC to DHCP/DNS/ISE:8443 subnets on your FW.

On my case I am just allowing the following but under your scenario looks like you need to adjust accordingly the FW because you are using DMZ

Re: Firewall ports to open for Guest WebAuth with ISE 2.3 Inside

roger perkin — Wed, 22 Nov 2017 22:04:32 GMT

So is all I need to allow from a guest user in the DMZ is access to ISE:8443 ?

Surely it must need more?

Re: Firewall ports to open for Guest WebAuth with ISE 2.3 Inside

ajc — Wed, 22 Nov 2017 22:14:40 GMT

Check first if your device on guest ssid is getting a VALID IP from the wlc interface. If that part is ok, then the only thing you need is allow traffic from Guest subnet/WLC to ISE on port 8443. IMPORTANT to mention that the WLC Guest SSID requires an URL Redirect to the ISE Login portal for Guest like this: (you have to copy this link from ISE directly and change the IP by the FQDN of ISE)
https://guest.domain:8443/portal/PortalSetup.action?portal=10be2e90-8001-11e5-b027-3440b5d4e810

On the other hand, are you allowing traffic from the WLC subnet to the ISE server for Authentication on port 1812 and 1813?. If not, check this part as well.

Re: Firewall ports to open for Guest WebAuth with ISE 2.3 Inside

roger perkin — Wed, 22 Nov 2017 22:18:22 GMT

I have currently got a 3504 with one interface dropping guest wireless users in a DMZ

They get their IP from the firewall interface and get access to the internet

SSID auth is via PSK

I now want to use an internal ISE server to implement Guest Portal

So need to work through the flow

So wireless client connects to open SSID and gets dropped into DMZ

Gets an IP but can only talk to ISE

That client will need

ISE:8443

1812 and 1813 open to ISE for authentication.

What needs to be open from ISE to guest user?

This seems very logical but I can't find a simple step by step design of how this works.

Re: Firewall ports to open for Guest WebAuth with ISE 2.3 Inside

ajc — Wed, 22 Nov 2017 22:40:25 GMT

Try CWA for your guest authentication.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

Re: Firewall ports to open for Guest WebAuth with ISE 2.3 Inside

roger perkin — Wed, 22 Nov 2017 22:55:25 GMT

Perfect, that is just what I was looking for but didn't know what it was called!

So in terms of firewall rules

Do I need to allow these both ways or just DMZ to ISE

As I don't think there is any traffic initiated from ISE in this process?

UDP:1645, 1812 (RADIUS Authentication)
UDP:1646, 1813 (RADIUS Accounting)
UDP:1700 (RADIUS CoA)
TCP:8443 Guest Portal or 8905 if you have Posturing.

Re: Firewall ports to open for Guest WebAuth with ISE 2.3 Inside

ajc — Thu, 23 Nov 2017 15:16:48 GMT

CoA is initiated by ISE so take a look on the following link for the required ports to be opened

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Cisco_SNS_3400_Series_Appliance_Ports_Reference.html

Session

RADIUS Authentication: UDP/1645, 1812
RADIUS Accounting: UDP/1646, 1813
RADIUS Change of Authorization (CoA) Send: UDP/1700
RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799

Note

UDP port 3799 is not configurable.

Re: Firewall ports to open for Guest WebAuth with ISE 2.3 Inside

roger perkin — Thu, 23 Nov 2017 15:18:37 GMT

Thanks and are these both ways? Or just DMZ to ISE

Re: Firewall ports to open for Guest WebAuth with ISE 2.3 Inside

ajc — Thu, 23 Nov 2017 15:19:24 GMT

Make it both ways.

Re: Firewall ports to open for Guest WebAuth with ISE 2.3 Inside

Wilferson Cabreja Del Rosario — Fri, 21 Jun 2024 13:02:01 GMT

I am interested to know what happend here. Was the issue resolved?