cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1078
Views
0
Helpful
1
Replies
ivan.yeung
Beginner

web redirection ACL (deny or permit)

Hi all,

i looked two cisco web page describing web redirection ACL, however, seems they are total different? or am i missing something? or configuration of redirection  ACL total different on ISE and WLC?

1)

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

The final step is to create a redirect ACL. This ACL is referenced in the access-accept of the ISE and defines what traffic should be redirected (denied by the ACL) and what traffic should not be redirected (permitted by the ACL). Here you just prevent from redirection traffic towards the ISE. You might want to be more specific and only prevent traffic to/from the ISE on port 8443 (guest portal), but still redirect if a user tries to access the ISE on port 80/443.

 

2)

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html

For the redirection ACL, think of denying action as a deny redirection (not deny traffic), and permit action as permit redirection. The WLC will only look into traffic that it can redirect (port 80 and 443 by default).

 

1 ACCEPTED SOLUTION

Accepted Solutions
Mohammed al Baqari
VIP Advisor

Hi,

You are looking at configs for two different controllers and their ACLs
operate in opposite ways. AirOS WLCs are different from IOS-XE WLCs. Hope
that helps.

So if you are using 9800 WLCs, deny will not redirect.
If you are using 3504 (for example), deny will redirect.


**** please remember to rate useful posts

View solution in original post

1 REPLY 1
Mohammed al Baqari
VIP Advisor

Hi,

You are looking at configs for two different controllers and their ACLs
operate in opposite ways. AirOS WLCs are different from IOS-XE WLCs. Hope
that helps.

So if you are using 9800 WLCs, deny will not redirect.
If you are using 3504 (for example), deny will redirect.


**** please remember to rate useful posts
Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube