cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
498
Views
2
Helpful
10
Replies

Pre-auth ACL Cisco WLC not working

sschew
Level 1
Level 1

Hi, I have setup push portal with email verification. Once clients are connected to the ssid, they are required to key in their email addresses and will receive a temporary verification code via their email. A pre-auth ACL has been configured on WLC to permit port 25, 587, 465 however the client still unable to receive email. Would like to know if i miss out any config.

10 Replies 10

marce1000
VIP
VIP

 

   - What is the WLC model and software version being used ? Why is the purpose (intend) of specifying those port numbers ?

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Its WLC 5520 with software version 8.10.162.0. Those ports number are for SMTP. We configured an external push portal with email verification. 

The client will be redirected to the captive portal (landing page) automatically upon connecting. The landing page displays a form where the user enters their email address and submits it. The server processes the email address and sends a verification email containing a code.

In order for the client to receive the verification email before completely authenticated, we have to configured pre-auth ACL to allow email traffic. 

 

  - I would advise that you try with an 'all-open' ACL first (for testing)  , the problem being that modern e-mail applications (apps)  both sending and receiving may not always use the traditional 'old style' ports 
             If that works , then you can try to capture traffic and check witch ports  are being used

  + As per https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html
    The 5520 should use 8.10.196.0 , especially if nothing helps. The aireos based models must these days
    use the last release available , because they are being phased out in favor of the 9800 controllers

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Thank you for the suggestion, will try that. 

Pre-auth need also to allow dhcp and dns and http/https 

Add these ports and check

MHM

 

We have allowed both DHCP and DNS. If we are to allow http/https also, isn't that mean client will be to able to do web browsing even without a complete authentication? 

Allow http/https to and from mgmt wlc IP not from ANY 

MHM

We have allowed http/https to the external portal IP, and managed to get the landing page prompted. WIFI client able to obtain IP and submit their email address on the portal but unable to receive the verification code via email. Client switched to mobile data and the verification email came in. Just wondering why do we need to allow http/https to WLC IP since the email is received through internet. 

Ok no need to allow http/https to mgmt ip of wlc if you use external.

Now you allow dns dhcp and http/https abd mail server 

Can I see last acl you use 

MHM

Rich R
VIP
VIP

I think this approach is bound to fail.  SMTP is normally only used for sending email. 

Most email clients will use POP or IMAP for retrieving email and that can be on a variety of different ports:
https://support.host100.co.uk/en/knowledgebase/article/email-protocols-%E2%80%93-pop3-smtp-and-imap-tutorial
By default, the POP3 protocol works on two ports:
Port 110 - this is the default POP3 non-encrypted port
Port 995 - this is the port you need to use if you want to connect using POP3 securely
By default, the IMAP protocol works on two ports:
Port 143 - this is the default IMAP non-encrypted port
Port 993 - this is the port you need to use if you want to connect using IMAP securely

Some mail services may use non-default ports. 

However these days many clients use a web browser (https) to access their email.

The more complicated you make it to use your service the less clients will use it.  The drop off rate for this type of solution is very high.  People will just switch to mobile data rather than use WiFi which is complicated and difficult.
As per https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKEWN-2014.pdf

RichR_0-1725214614589.png

 

Review Cisco Networking for a $25 gift card