03-08-2023 11:53 PM
hello everyone! I am using cisco 9800 17.3.1 and I have difficulties in setting up the work of the external authorization portal and the radius server in flex connect local switching mode. I need your help. My questions: 1. I configured preauth URL Filtering and added it to flex connect profile settings. But there is no access to these websites before authorization. What am I doing wrong? 2. My external radius server requires a session-id in the access-request. But this attribute is not transmitted by the controller. I also tried to add it with the radius-server attribute 44 include-in-access-req all command. But it didn't work. What to do? 3. For users of the guest WiFi network, it is necessary to limit the speed of Internet access. Previously, on wlc 8.5 aireos, I did this on the radius server in access-accept in the vsa attributes airespace-data-bandwidth contract. But the wlc 9800 does not understand these attributes. How can I limit the access speed for guests?
03-09-2023 01:15 AM
Lets do one task at a time - rather making too many changes at once, you end up not going any where what you looking to do.
Lets take 1 and 2 of your questions :
what Radius Server you using? Can you provide what configuration you applied? what is the error you getting when you debug?
have you looked at the flows and ACL required to access to external web access?
03-09-2023 12:09 PM
Thanks for you attention.
I'm using a Free RADIUS server. Below is part of my configuration. Redirecting to an external portal works fine. User authorization is successful. IP address of portal (from webauth policy) automatically added in a system ACL. But before authorization, access to some sites, such as Google, unfortunately does not work, although I have registered them in url filtering.
Thanks for the links, but I've seen them before.
version 17.3
!
aaa new-model
!
!
aaa group server radius test_radius_group
server name test_radius
deadtime 5
mac-delimiter hyphen
!
aaa authentication login test_auth group test_radius_group
aaa authorization network test_authoriz group test_radius_group
aaa accounting update periodic 3
aaa accounting identity test_acc start-stop group test_radius_group
!
aaa server radius dynamic-author
!
aaa session-id common
!
parameter-map type webauth test_webauth
type webauth
redirect for-login https://mysite.com
redirect append ap-mac tag ap_mac
redirect append wlan-ssid tag wlan
redirect append client-mac tag client_mac
redirect portal ipv4 xxx.xxx.xxx.xxx
logout-window-disabled
success-window-disable
cisco-logo-disable
!
!radius-server attribute 44 include-in-access-req all
radius-server attribute wireless accounting mac-delimiter hyphen
radius-server attribute wireless accounting username-delimiter none
radius-server attribute wireless accounting username-case upper
radius-server attribute wireless accounting call-station-id ap-macaddress-ssid
radius-server attribute wireless accounting callStationIdCase upper
radius-server attribute wireless authentication callStationIdCase upper
radius-server attribute wireless authentication mac-delimiter hyphen
radius-server attribute wireless authentication call-station-id ap-macaddress-ssid
radius-server unique-ident 51
radius-server accounting system host-config
!
radius server test_radius
address ipv4 xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813
!
wireless aaa policy default-aaa-policy
wireless cts-sxp profile default-sxp-profile
wireless management trustpoint WLC_WLC_TP
wireless management interface Vlan1755
no capwap-discovery private
wireless profile airtime-fairness default-atf-policy 0
wireless profile flex LAB-LSW-flex-profile
acl-policy test_acl
central-webauth
urlfilter list url_filter
description LocalSwitching
no local-auth ap radius
native-vlan-id 1755
vlan-name vlan1767
vlan-id 1767
wireless profile flex default-flex-profile
description "default flex profile"
wireless profile mesh default-mesh-profile
description "default mesh profile"
wireless profile policy test_policy
aaa-override
accounting-list test_acc
no central dhcp
no central switching
session-timeout 300
urlfilter list pre-auth-filter url_filter
vlan vlan1767
no shutdown
wireless tag site LAB-LSW
ap-profile LAB-LSW
flex-profile LAB-LSW-flex-profile
no local-site
wireless tag site default-site-tag
description "default site tag"
wireless tag policy LAB-LSW
wlan test_wlan policy test_policy
urlfilter list url_filter
action permit
url facebook.com
url google.com
wlan test_wlan 6 Cisco_test
mac-filtering test_authoriz
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
security web-auth
security web-auth authentication-list test_auth
security web-auth on-macfilter-failure
security web-auth parameter-map test_webauth
no shutdown
end
03-11-2023 10:15 PM
@Elias master I moved your post to Cisco Community Technology and Support / Wireless - Mobility / Wireless as urlfilter list is specific to the wireless controller platform. I think you need a few more and you might need *.google.com. Also, it might not work if you are using DNS over HTTPS (DoH).
03-11-2023 11:53 PM - edited 03-12-2023 12:00 AM
- Check this guide : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-8/config-guide/b_wl_17_8_cg/m_radius-vsa.html
Note that you may meed 17.8.x at minimum for this to work ,
M.
03-12-2023 03:55 PM
So as @hslai has pointed out your ACL should be:
urlfilter list url_filter
action permit
url *.facebook.com
url *.google.com
And as @marce1000 said you need to look at your IOS. 17.3.1 is VERY old and FULL of bugs. If you absolutely must use 17.3 (eg you have 3700 APs) then you should be using 17.3.6 with all the available AP service packs applied as per TAC recommended link below. But really you should be considering 17.9.2 as there are numerous features (in particular for radius) which have been added *after* 17.3. If you need to support 1700/2700/3700 APs then 17.9.3 should be out in the next few weeks and that will support them too - so look at 17.9.2 right away and plan for 17.9.3 when it's released.
And surprisingly Marce didn't suggest this so I will lol: check your config with https://cway.cisco.com/wireless-config-analyzer/ using the output of "show tech wireless"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide