Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
278
Views
0
Helpful
3
Replies

Change DNAC_ACL_WEBAUTH_REDIRECT

Leonardo Santana
Spotlight
Spotlight

‎08-08-2024 01:51 PM

Hi,

I need to edit this ACL DNAC_ACL_WEBAUTH_REDIRECT created automatic by the DNAC Server.

How can i edit this? At my controller side or at the DNAC?

 

Regards
Leonardo Santana

*** Rate All Helpful Responses***
Labels:
0 Helpful
3 Replies 3

jalejand
Cisco Employee
Cisco Employee

‎08-08-2024 03:31 PM - edited ‎08-08-2024 03:31 PM

Starting 2.3.5.x you can customize the pre-auth ACL :

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-3-5/user_guide/b_cisco_dna_center_ug_2_3_5/m_configure-network-settings.html

Effective with Release 2.3.5.4, Cisco DNA Center-generated preauthentication ACLs are created only for the configured AAA or PSN servers for CWA SSIDs of guest wireless networks. If you upgrade to Release 2.3.5.4 from Release 2.3.5.3 or earlier, to ensure that there is no compliance mismatch, you must reprovision the wireless controller

 

If you want a custom ACL in any other release, I suggest to NOT modify the DNAC_ACL_WEBAUTH_REDIRECT ACL and instead create a new one with the required ACEs and add it manually to the default FLEX profile on the C9800 WLC (this can be done too in AireOS controllers). This is because CatC/DNAC will likely remove any unexpected configuration under that ACL.

Ex.

ip access-list ext NEW_ACL
  --ACEs--

wireless profile flex default-flex-profile
   acl-policy NEW_ACL
      central-webauth

You can do this via template or manual configuration on the CLI.
After that, edit your ISE authorization profile for Guest Access and use the new CLI name instead of DNAC_ACL_WEBAUTH_REDIRECT

0 Helpful

Leonardo Santana
Spotlight
Spotlight
In response to jalejand

‎08-08-2024 05:26 PM - edited ‎08-08-2024 05:29 PM

Hi,

And from DNAC release 2.3.5.3 with a 3504 controller its better to create a new acl?

Enviroment

1x 3504 Controller Version: 8.10.185.0 for this customer fabric

1x DNAC 2.3.5.3

2x Cisco ISEs 3.3 Patch 2

Regards
Leonardo Santana

*** Rate All Helpful Responses***
0 Helpful

jalejand
Cisco Employee
Cisco Employee

‎08-08-2024 10:23 PM

If upgrade is not a possibility, you can do it manually too in AireOS
The CLI way to create the ACL on the AireOS is a bit more complex (and tedious in some way) than doing it on the GUI; so I would create another one via GUI and add it to the FLEX profile like this:

config fabric flex-acl-template template-entry DNAC_FABRIC_FLEX_ACL_TEMPLATE add [new_ACL_Name]

The rest is the same (modify ISE authorization profile to use the new ACL name)

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card