Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
742
Views
0
Helpful
1
Replies

Redirect ACL for Entra ID / Office 365 SAML login with Cisco ISE

floriandarras
Level 1
Level 1

‎02-12-2024 08:07 AM

Hello everyone, 

We are working on an ISE deployment for which we have a captive portal configured for users to log with their O365 (Azure / Entra ID)  login. 

The setup is working great at the moment, but I am worried about durability / scalability of the current setup. Indeed, for the authentication to work, the unauthenticated user needs to be redirected to the portal and needs to be able to access Microsoft's resources as well to authenticate using their O365 credentials. My worry is that the ACL is configured with static IP addresses, and if these change in the future, we might see some issues with SAML authentication. We looked online for documentation but did not really find what we were looking for. We tried several options, but all of them are relying on static ip addresses at some point: 

  1. Using the FQDN directly in the acl results in the switch resolving the name and configuring the current ip address in the acl.
  2. Using object-groups results in the same thing where entering an FQDN is resolved by the switch and the current resolved ip address is used in the configuration. 
  3. We have seen configurations using script to make this a bit more dynamic but I am not a big fan of that and would like to find a more built-in option. 

Our current ACL looks like the following: 

Extended IP access list ACL_WEBAUTH_REDIRECT
deny ip any host ###Captive_Portal_IP_1###
deny ip any host ###Captive_Portal_IP_2###
deny udp any any eq domain
deny udp any eq bootpc any eq bootps
deny ip any object-group obj-login.live.com
deny ip any object-group obj-go.microsoft.com
deny ip any object-group obj-aadcdn.msauth.net
deny ip any object-group obj-aadcdn.msftauth.net
deny ip any object-group obj-graph.microsoft.com
deny ip any object-group obj-app.vssps.dev.azure.com
deny ip any object-group obj-login.microsoftonline.com
deny ip any object-group obj-app.vssps.visualstudio.com
deny ip any object-group obj-login.microsoftonline-p.com
deny ip any object-group obj-management.core.windows.net
deny ip any object-group obj-secure.aadcdn.microsoftonline-p.com
deny ip any object-group obj-aadcdn.msauthimages.net
permit ip any any

With network objects that look like this: 

Network object group obj-management.core.windows.net
host 23.102.135.246

Network object group obj-secure.aadcdn.microsoftonline-p.com
host 13.107.246.67

As I stated at the beginning of the post, this configuration works well at the moment, but if Microsoft changed some of the IPs or that some of these FQDNs were to be reachable from several IPs (which is probably the case for some of them) we might encounter issues in the future. 

Would someone have any leads to a better option to make this configuration more dynamic ? 

0 Helpful
1 Reply 1

floriandarras
Level 1
Level 1

‎02-19-2024 06:42 AM

Small up on this topic, would anyone have an idea or documentation that I could check for this ? 

 

0 Helpful
Customers Also Viewed These Support Documents