cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2735
Views
40
Helpful
4
Replies

What URL's need to be allowed for Guest Portal REDIRECT ACL using SAML and Microsoft Office IdP ?

Arne Bier
VIP
VIP

Hello

 

I am no SAML expert, but we have an ISE 2.7 Guest Portal that uses SAML as the portal authentication method.

The SAML stuff is working well and we can test it via the ISE Portal test feature.

 

But as for the actual Wireless client test, user receives the URL redirection string (which includes the ISE portal FQDN) and then I believe ISE internally redirects that off to Microsoft public cloud for the user's login (you never see the ISE Portal). Typically, the ACL for redirection allows DNS, DHCP and ISE PSN's - and blocks everything else. That's the issue - we need to allow access to the Microsoft sites that are part of this SAML auth.

 

The challenge is, finding out which URLs exactly - URLs would be preferred since we don't want to make it based on IP addresses or prefixes. Having said that, I don't get the feeling that the URL filtering on the 9800 (in SDA fabric mode) supports URL filtering. Then IP prefix filters might be the only sure way to do this.

 

Microsoft publishes some information but it's hard to say whether it applies in our case or not.

We tried doing tcpdump to see the DNS queries on the client - but the access still didn't work after adding in the URLs.

 

If anyone has a proven list of URLs that has worked for them, please share?

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

The following URLs are what I configured in my WLC redirect ACL when I tested Guest Portal authentication against Azure AD SAML IdP in my lab. I was using an AireOS WLC model, but it looks like the 9800 does support DNS-based ACLs.

login.microsoftonline.com
aadcdn.microsoftonline-p.com
aadcdn.msauth.net

View solution in original post

4 Replies 4

Greg Gibbs
Cisco Employee
Cisco Employee

The following URLs are what I configured in my WLC redirect ACL when I tested Guest Portal authentication against Azure AD SAML IdP in my lab. I was using an AireOS WLC model, but it looks like the 9800 does support DNS-based ACLs.

login.microsoftonline.com
aadcdn.microsoftonline-p.com
aadcdn.msauth.net

thanks mate! The login.microsoftonline.com looks familiar - I hadn't spotted the other two. I will try to use the URL filtering and then feed back.

Hi @Greg Gibbs 

 

The URL Filter solved the problem - I was able to be re-directed to my Microsoft tenant!

The second URL in your list (aadcdn.microsoftonline-p.com) does not exist - it's secure.aadcdn.microsoftonline-p.com

 

The other little nugget I will share here is that we are using SD Access wireless, and everything is provisioned by DNAC. Thus, the APs are in "Local" mode, and the data plane is not centrally switched. I ready somewhere that in SDA there is no concept of FlexConnect. I don't know how true that is, but it turns out that the ACL and the URL Filter are applied to the Flex Policy on the 9800 when in fabric mode. If you don't have the ACL and URL Filter applied to the Flex Policy then the 9800 complains that the redirection ACL doesn't exist. So - add it to the Flex Policy, along with the URL Filter.

 

My final URL filter list included this (this is for the Oceania region - URLs can be geography dependent):

login.live.com
go.microsoft.com
aadcdn.msauth.net
aadcdn.msftauth.net
graph.microsoft.com
app.vssps.dev.azure.com
login.microsoftonline.com
app.vssps.visualstudio.com
login.microsoftonline-p.com
management.core.windows.net
secure.aadcdn.microsoftonline-p.com

I didn't have time to prove/validate whether we needed ALL of the above, but I took guidance from Microsoft's own documentation to augment what Greg had provided me.

 

 

@Arne Bier , thanks for the update mate!

The DNS-based ACLs typically match any URL that matches the suffix configured, but it's always best to have a longer match if possible.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: