https://community.cisco.com/t5/wireless/unable-to-modify-9800-external-webauth-acl/m-p/4394481#M228808 <P>Hello Everyone,</P><P>&nbsp;</P><P>Scenario - External WebAuth server is using port 8443. In webauth parameter map -redirect url used set as <A href="https://External_WebAuth:8443/login.html" target="_blank" rel="noopener">https://External_WebAuth:8443/login.html</A></P><P>&nbsp;</P><P>Two WebAuth ACLs (WA-Sec and WA-Int) are created automatically using redirect port 443 which does not work since 8443 is being used.</P><P>&nbsp;</P><P>1. Inside the above ACLs I can modify 443 to 8443 but update/Apply throws below error.&nbsp;</P><H4>Error in Configuring ACL</H4><P>CLI Line 2 no 20 CLI Line 2 CLI Line 2 Invalid input detected at marker Invalid input detected at marker.</P><P>&nbsp;</P><P>Is there a way to edit the Extended ACL in CLI?</P><P>&nbsp;</P><P>2.&nbsp;&nbsp;I can create manually new ACL with port 8443. Not sure how to apply manually created ACL to SSID.</P><P>&nbsp;</P><P>In the SSID - Security-Layer3- PreAuth ACL has None. Is this the place to select new ACL? Not sure to select new SEC ACL or new INT ACL.</P><P>&nbsp;</P><P>Thanks for your time and inputs</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 05 Jul 2021 20:14:13 GMT yprasannas 2021-07-05T20:14:13Z https://community.cisco.com/t5/wireless/unable-to-modify-9800-external-webauth-acl/m-p/4394481#M228808 <P>Hello Everyone,</P><P>&nbsp;</P><P>Scenario - External WebAuth server is using port 8443. In webauth parameter map -redirect url used set as <A href="https://External_WebAuth:8443/login.html" target="_blank" rel="noopener">https://External_WebAuth:8443/login.html</A></P><P>&nbsp;</P><P>Two WebAuth ACLs (WA-Sec and WA-Int) are created automatically using redirect port 443 which does not work since 8443 is being used.</P><P>&nbsp;</P><P>1. Inside the above ACLs I can modify 443 to 8443 but update/Apply throws below error.&nbsp;</P><H4>Error in Configuring ACL</H4><P>CLI Line 2 no 20 CLI Line 2 CLI Line 2 Invalid input detected at marker Invalid input detected at marker.</P><P>&nbsp;</P><P>Is there a way to edit the Extended ACL in CLI?</P><P>&nbsp;</P><P>2.&nbsp;&nbsp;I can create manually new ACL with port 8443. Not sure how to apply manually created ACL to SSID.</P><P>&nbsp;</P><P>In the SSID - Security-Layer3- PreAuth ACL has None. Is this the place to select new ACL? Not sure to select new SEC ACL or new INT ACL.</P><P>&nbsp;</P><P>Thanks for your time and inputs</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 05 Jul 2021 20:14:13 GMT https://community.cisco.com/t5/wireless/unable-to-modify-9800-external-webauth-acl/m-p/4394481#M228808 yprasannas 2021-07-05T20:14:13Z https://community.cisco.com/t5/wireless/unable-to-modify-9800-external-webauth-acl/m-p/4394503#M228809 <P>Create a new Web Auth Parameter and in advanced tab copy/paste the ISE portal link to (Redirect for log-in) feild<BR />you can get the link from ISE Sponsored Guest Portal<BR />Now, because ISE portal is using TCP port 8443 which is not included in the “sec” ACL, we need to allow that by creating a new pre-Auth ACL and apply it to the WLAN as below:</P> <P>conf t<BR />ip access-list extended Local-External-WebAuth<BR />permit tcp any host ISE_IP_ADDRESS eq 8443<BR />permit tcp host ISE_IP_ADDRESS eq 8443 any<BR />permit tcp any any eq domain<BR />permit udp any any eq domain<BR />permit udp any any eq bootpc<BR />permit udp any any eq bootps<BR />deny ip any any<BR />exit</P> <P>And because we will use ISE to authenticate the users we have to add the below:<BR />conf t<BR />aaa authentication webauth default group your_group_name<BR />exit</P> <P>Note: Named Method lists is not supported for webauth</P> <P>from SSID L3 check the Web Policy and select your Web Auth Parameter Map and select the Auth list as default and select the PreAuth ACL<BR />and no need to select any AAA Auth List (802.1x authentication list name) since we already have that as “default” under the Layer3 Auth list (Webauth Authentication List Name)</P> <P>The policy profile can be anything and there is no need for pre auth url.</P> <P>You will see two Auth in ISE Logs:<BR />The first one when ise validate the username/password of the user when the user typed it in ISE portal, no policy set will be used here.<BR />The second Auth when the 9800 send the username/pass to ISE to validate those “second time” and ISE will use the policy set to validate it.</P> Wed, 28 Apr 2021 04:15:27 GMT https://community.cisco.com/t5/wireless/unable-to-modify-9800-external-webauth-acl/m-p/4394503#M228809 Grendizer 2021-04-28T04:15:27Z