cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1154
Views
3
Helpful
11
Replies

Urgent: ACL on WLC 5508 + Transperant Proxy

habibalby
Level 1
Level 1

Hello,

I'm doing some experiment on a test SSID to configure ACL for limited resources on our Wired/Wireless network.

I'm/using and I would like to use Web Authentication page. I have created an ACL under Access Control List namely, ICT. With this, I have created an ACL rules as follows;

Seq     Action     Source IP/Mask     Destination IP/Mask     Protocol     Source Port     Dest Port     DSCP     Direction     Number of Hits     

1    Permit    1.1.1.1 / 32    0.0.0.0 /0.0.0.0        TCP         Any         Any        Any    Outbound                                       

2       Permit    0.0.0.0 / 32    1.1.1.1 /32             TCP        Any         Any        Any    Inbound

3    Permit    0.0.0.0 / 32    192.168.10.190 /32      UDP         DNS         Any        Any    Inbound       

4    Permit    192.168.10.190/32 0.0.0.0 /0.0.0.0      UDP         DNS         Any        Any    Outbound

5    Permit    0.0.0.0 / 32    Proxy-vIP /32           Any         Any         Any        Any    Inbound

6    Permit    Proxy-vIP / 32    0.0.0.0 /0.0.0.0        Any         Any         Any        Any    Outbound

The authentication page comes fine, but as soon as I entered the username and password correctly, the page it doesn't redirect and IE error shows The Page cannot be displayed.

In the Edit Page of the WLAN ->Security -> Layer 3, I have selected the Preauthentication ACL as ICT, but still I can't browse the Internet..

Any help, highly appreciated.

Regards,

11 Replies 11

habibalby
Level 1
Level 1

Hi,

I have changed the Rule of the Proxy to point to the proxy port itself, but still it doesn't work;

Seq     Action     Source IP/Mask     Destination IP/Mask     Protocol     Source Port     Dest Port     DSCP     Direction     Number of Hits     

1    Permit    1.1.1.1 / 32    0.0.0.0 /0.0.0.0        TCP         Any         Any        Any    Outbound                                       

2       Permit    0.0.0.0 / 32    1.1.1.1 /32             TCP        Any         Any        Any    Inbound

3    Permit    0.0.0.0 / 32    192.168.10.190 /32      UDP         DNS         Any        Any    Inbound       

4    Permit    192.168.10.190/32 0.0.0.0 /0.0.0.0      UDP         DNS         Any        Any    Outbound

5    Permit    0.0.0.0 / 32    Proxy-vIP /32          TCP         8080         Any        Any    Inbound

6    Permit    Proxy-vIP / 32    0.0.0.0 /0.0.0.0        TCP        8080         Any        Any    Outbound

Hello, yes it works without Proxy fine as we just configured PBR for WebSense..

is there any way to configure Auth-ACL ?

fb_webuser
Level 6
Level 6

Does it work without ACL?

Did you enter the right proxy settings in your browser to be sure?

---

Posted by WebUser Erik Boss from Cisco Support Community App

Stephen Rodriguez
Cisco Employee
Cisco Employee

If you are looking to limit resources, why do it as a pre auth ACL? Just use a normal ACL linked to the interface to allow what the users can have access to.


Pre auth ACL are to allow the user to do something prior to them authenticating. Like reach an external web server

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

habibalby
Level 1
Level 1

Hello,

The purpose of this to have three separate SSIDs, each will have access to different resources. I have created one Ssid for testing and experimenting. I've just started creating ACLs and linked them to the Interface and to the SSID as well and I'm facing this issue as the client that connected to the same SSID cannot access the Internet.

Other ACLs such as DHCP and ICMP ping are working fine.. I have managed to create a rule to allow the client reaching the Authentication page, but when Username and password supplied, the page doesn't redirect to the external destination.

Any help?

I'm a few beers into the holiday week..

But, dhcp will always work because the wlc ACL doesn't and can't block broadcast and multicast traffic.
That traffic flows regardless. When you use proxy does the packets get written to the proxy server ? For giggles do a permit any any in line 7 ..

As Steve mentioned the preauth ACL is used for different purposes not what you are trying to do ..
Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

fb_webuser
Level 6
Level 6

and to block the data directly... Your option is also possible steprodr. But you're using the wireless network and then blocks it. Wasting your wireless bandwidth.

---

Posted by WebUser Erik Boss from Cisco Support Community App

habibalby
Level 1
Level 1

Could you plz elaborate? Where to block it then? At core switch level?

Sent from Cisco Technical Support Android App

habibalby
Level 1
Level 1

Hello,

I think, this document is the one which I suppose to follow;

Web Authentication Proxy Configuration Example

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080c02f1e.shtml

Let me see how this can be done and I will update you guys.

Regards,

habibalby
Level 1
Level 1

Hello,

The Web Authentication proxy is for organizations who is having Explicit proxy in their browsers and want to implement Authentication Page from WLC. Sorry, this solution is not for what I'm intended to do.

I have created a test ACL as below and the internet started working, but this rule is nothing actually, becuase I started reaching everything on other vLANs.

Sequence
SourceAny

DestinationAny
 

ProtocolAny
 

DSCPAny
Direction Any
 
Action Permit

habibalby
Level 1
Level 1

Hello,

I have installed WireSharek on the testing machine to test what's going on when an ACL is applied having limited ports to destination and with an ACL having;

Source = Any

Destination = Any

Protocol = Any

DSCP = Any

Direction = Any

Action = Permit

When this ACL is applied, the client immeditly reached the proxy and presented with the prompt authentication page.

In the wireshark, I can see Source port 54492 Dst port http-alt 8080 from the client IP address to the Proxy WebSense on the physical interface not the virtual interface.

Any thing can be done on this?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: