Re: Pre-auth ACL Cisco WLC not working

sschew · ‎08-21-2024

Hi, I have setup push portal with email verification. Once clients are connected to the ssid, they are required to key in their email addresses and will receive a temporary verification code via their email. A pre-auth ACL has been configured on WLC to permit port 25, 587, 465 however the client still unable to receive email. Would like to know if i miss out any config.

marce1000 · ‎08-21-2024

- What is the WLC model and software version being used ? Why is the purpose (intend) of specifying those port numbers ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

sschew · ‎08-21-2024

Its WLC 5520 with software version 8.10.162.0. Those ports number are for SMTP. We configured an external push portal with email verification.

The client will be redirected to the captive portal (landing page) automatically upon connecting. The landing page displays a form where the user enters their email address and submits it. The server processes the email address and sends a verification email containing a code.

In order for the client to receive the verification email before completely authenticated, we have to configured pre-auth ACL to allow email traffic.

marce1000 · ‎08-22-2024

- I would advise that you try with an 'all-open' ACL first (for testing) , the problem being that modern e-mail applications (apps) both sending and receiving may not always use the traditional 'old style' ports
If that works , then you can try to capture traffic and check witch ports are being used

+ As per https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html
The 5520 should use 8.10.196.0 , especially if nothing helps. The aireos based models must these days
use the last release available , because they are being phased out in favor of the 9800 controllers

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

sschew · ‎08-22-2024

Thank you for the suggestion, will try that.

MHM Cisco World · ‎08-21-2024

Pre-auth need also to allow dhcp and dns and http/https

Add these ports and check

MHM

sschew · ‎08-21-2024

We have allowed both DHCP and DNS. If we are to allow http/https also, isn't that mean client will be to able to do web browsing even without a complete authentication?

MHM Cisco World · ‎08-22-2024

Allow http/https to and from mgmt wlc IP not from ANY

MHM

sschew · ‎08-22-2024

We have allowed http/https to the external portal IP, and managed to get the landing page prompted. WIFI client able to obtain IP and submit their email address on the portal but unable to receive the verification code via email. Client switched to mobile data and the verification email came in. Just wondering why do we need to allow http/https to WLC IP since the email is received through internet.

MHM Cisco World · ‎08-22-2024

Ok no need to allow http/https to mgmt ip of wlc if you use external.

Now you allow dns dhcp and http/https abd mail server

Can I see last acl you use

MHM

Rich R · ‎09-01-2024

I think this approach is bound to fail. SMTP is normally only used for sending email.

Most email clients will use POP or IMAP for retrieving email and that can be on a variety of different ports:
https://support.host100.co.uk/en/knowledgebase/article/email-protocols-%E2%80%93-pop3-smtp-and-imap-tutorial
By default, the POP3 protocol works on two ports:
Port 110 - this is the default POP3 non-encrypted port
Port 995 - this is the port you need to use if you want to connect using POP3 securely
By default, the IMAP protocol works on two ports:
Port 143 - this is the default IMAP non-encrypted port
Port 993 - this is the port you need to use if you want to connect using IMAP securely

Some mail services may use non-default ports.

However these days many clients use a web browser (https) to access their email.

The more complicated you make it to use your service the less clients will use it. The drop off rate for this type of solution is very high. People will just switch to mobile data rather than use WiFi which is complicated and difficult.
As per https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKEWN-2014.pdf

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs