cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2603
Views
0
Helpful
11
Replies
roger perkin
Beginner

Firewall ports to open for Guest WebAuth with ISE 2.3 Inside

I am setting up a Guest Sponsor Portal, with ISE 2.3 which is hosted on the Internal network. 

I am dropping my guest wireless users in the DMZ and need to open the appropiate firewall ports on the firewall to make this work. 

Can anyone point me to any good resources or advise what ports need to be opened each way? 

 

Thanks

Roger

11 REPLIES 11
jan.nielsen
Rising star

If you didn't change the default port for guest portals, it's port tcp/8443 towards all your PSN nodes.

I only have one ISE instance and that is running all personas and is hosted on the Internal network. 

I have guest wireless users being dropped into the DMZ 

 

So what ports need to be opened to allow this guest user to hit the web portal and get authenticated? 

 

i assume they get dropped into DMZ and hit the WebAuth ACL and can only see ISE 

 

Just a bit confused about that being internal and client in DMZ 

 

I do not plan to put a PSN in the DMZ

 

Thanks

 

Based on your WLC Preauth ACL, check if you are allowing traffic from Enduser/WLC to DHCP/DNS/ISE:8443 subnets on your FW.

 

On my case I am just allowing the following but under your scenario looks like you need to adjust accordingly the FW because you are using DMZ

 

PREAUTH-ACL.png

 

 

So is all I need to allow from a guest user in the DMZ is access to ISE:8443 ?

 

Surely it must need more?

 

 

Check first if your device on guest ssid is getting a VALID IP from the wlc interface. If that part is ok, then the only thing you need is allow traffic from Guest subnet/WLC to ISE on port 8443. IMPORTANT to mention that the WLC Guest SSID requires an URL Redirect to the ISE Login portal for Guest like this: (you have to copy this link from ISE directly and change the IP by the FQDN of ISE)
https://guest.domain:8443/portal/PortalSetup.action?portal=10be2e90-8001-11e5-b027-3440b5d4e810

On the other hand, are you allowing traffic from the WLC subnet to the ISE server for Authentication on port 1812 and 1813?. If not, check this part as well.

I have currently got a 3504 with one interface dropping guest wireless users in a DMZ 

They get their IP from the firewall interface and get access to the internet 

SSID auth is via PSK 

 

I now want to use an internal ISE server to implement Guest Portal 

So need to work through the flow 

So wireless client connects to open SSID and gets dropped into DMZ 

Gets an IP but can only talk to ISE 

That client will need 

ISE:8443 

1812 and 1813 open to ISE for authentication. 

 

What needs to be open from ISE to guest user? 

 

This seems very logical but I can't find a simple step by step design of how this works. 

 

Perfect, that is just what I was looking for but didn't know what it was called! 

 

So in terms of firewall rules 

 

Do I need to allow these both ways or just DMZ to ISE 

 

As I don't think there is any traffic initiated from ISE in this process?

 

  • UDP:1645, 1812 (RADIUS Authentication)
  • UDP:1646, 1813 (RADIUS Accounting)
  • UDP:1700 (RADIUS CoA)
  • TCP:8443 Guest Portal or 8905 if you have Posturing. 

 

 

 

 

CoA is initiated by ISE so take a look on the following link for the required ports to be opened

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Cisco_SNS_3400_Series_Appliance_Ports_Reference.html

 

Session

  • RADIUS Authentication: UDP/1645, 1812

     

  • RADIUS Accounting: UDP/1646, 1813

     

  • RADIUS Change of Authorization (CoA) Send: UDP/1700

     

  • RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799

     

Note   

UDP port 3799 is not configurable.

 

 

Thanks and are these both ways? Or just DMZ to ISE 

 

 

Make it both ways.

Content for Community-Ad