02-12-2024 08:07 AM
Hello everyone,
We are working on an ISE deployment for which we have a captive portal configured for users to log with their O365 (Azure / Entra ID) login.
The setup is working great at the moment, but I am worried about durability / scalability of the current setup. Indeed, for the authentication to work, the unauthenticated user needs to be redirected to the portal and needs to be able to access Microsoft's resources as well to authenticate using their O365 credentials. My worry is that the ACL is configured with static IP addresses, and if these change in the future, we might see some issues with SAML authentication. We looked online for documentation but did not really find what we were looking for. We tried several options, but all of them are relying on static ip addresses at some point:
Our current ACL looks like the following:
Extended IP access list ACL_WEBAUTH_REDIRECT
deny ip any host ###Captive_Portal_IP_1###
deny ip any host ###Captive_Portal_IP_2###
deny udp any any eq domain
deny udp any eq bootpc any eq bootps
deny ip any object-group obj-login.live.com
deny ip any object-group obj-go.microsoft.com
deny ip any object-group obj-aadcdn.msauth.net
deny ip any object-group obj-aadcdn.msftauth.net
deny ip any object-group obj-graph.microsoft.com
deny ip any object-group obj-app.vssps.dev.azure.com
deny ip any object-group obj-login.microsoftonline.com
deny ip any object-group obj-app.vssps.visualstudio.com
deny ip any object-group obj-login.microsoftonline-p.com
deny ip any object-group obj-management.core.windows.net
deny ip any object-group obj-secure.aadcdn.microsoftonline-p.com
deny ip any object-group obj-aadcdn.msauthimages.net
permit ip any any
With network objects that look like this:
Network object group obj-management.core.windows.net
host 23.102.135.246
Network object group obj-secure.aadcdn.microsoftonline-p.com
host 13.107.246.67
As I stated at the beginning of the post, this configuration works well at the moment, but if Microsoft changed some of the IPs or that some of these FQDNs were to be reachable from several IPs (which is probably the case for some of them) we might encounter issues in the future.
Would someone have any leads to a better option to make this configuration more dynamic ?
02-19-2024 06:42 AM
Small up on this topic, would anyone have an idea or documentation that I could check for this ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide