Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2022
Views
2
Helpful
6
Replies

Preauthentication ACL cisco

Go to solution
dhikra-marghli8
Level 1
Level 1

‎01-03-2024 11:10 PM

Hello

i want to know   "Preauthentication ACL "  in the wlc cisco  is used  in the wlc  regardless of switched local or switch centralized in the deployment wifi ?? 

i wait a reply  from expert wifi 

Thanks 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP
In response to dhikra-marghli8

‎01-04-2024 08:45 AM

Hello @dhikra-marghli8 

In this context of Cisco WLC,  the preauthentication ACL and DNS serve different purposes but they can be related in certain scenarios.

The preauthentication AcL is used to filter traffic before a client completes the full authentication process. It is applied during the preauthentication phase, allowing the WLC to filter traffic based on certain criteria before granting full network access to the client.

The preautent ACL doesn't have a direct proxy relationship. It primarily deal with filtering traffic based on IP addresses, protocols, or port numbers during the early stages of client association.

DNS is crucial for resolving domain names to IP addresses, and it plays a role in how clients connect to resources on the network. In a wireless environment, DNS might be involved when clients attempt to resolve domain names for the services they are trying to access.

If a preauth ACL is configured to filter traffic based on IP addresses or domains, DNS resolution could be affected. For example, if the preauth ACL blocks access to specific domains or IP addresses, DNS requests for those domains might not succeed, impacting the client's ability to connect to certain resources.

It's very important to carefully design and configure the preauth ACL to avoid unintended consequences. If DNS filtering is required for security or policy reasons, it should be included in the ACL with a clear understanding of how it might impact DNS resolution.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

Go to solution
MHM Cisco World
VIP
VIP
In response to dhikra-marghli8

‎01-04-2024 09:16 AM

There are two secuirty in wireless 

One is l2 secuirty 

Other is l3 secuirty 

From name l3 secuirty work in l3 layer 

This make wifi client need IP to auth itself to wlc via web.

So we need preauth to make wifi client get IP from dhcp server 

Now after wifi client get IP the wifi client try to connect to any http website and this need dns so wifi send dns requests' and hence we need to allow dns via preauth acl.

After that the wlc redirect the traffic from wifi client to website to it page (lwa) or ise page (cwa)

Here the wifi client see web auth page' and after enter username and password and success auth it can access internet normally.

MHM

View solution in original post

6 Replies 6

Go to solution
ammahend
VIP Alumni
VIP Alumni

‎01-03-2024 11:27 PM

In central switching yes, for flexconnect read point 3 onward under procedure in this document

-hope this helps-
0 Helpful

Go to solution
dhikra-marghli8
Level 1
Level 1
In response to ammahend

‎01-03-2024 11:33 PM

Hi

thanks for your reply

i don't understand you !!

i want more explain for this point 

Thanks

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-04-2024 12:57 AM - edited ‎01-04-2024 12:59 AM

Preauth need for web auth
LWA or CWA both need wifi client have IP to connect to proxy 
and so both need preauth to allow client to get IP and connect to DNS 

  • Local web authentication (LWA): A method of redirection of guest users to a portal directly from the WLC. The redirection and pre-WebAuth ACL are locally configured on the WLC.
  • Central web authentication (CWA): A method of redirection of guest users where the redirection URL and the redirect ACL are centrally configured on an external server (for example ISE) and communicated to the WLC via RADIUS. In central web authentication the redirect URL and redirect ACL are centrally located on an external server (such as RADIUS). The RADIUS server is the one that handles the authentication, it sends instructions to the WLC. In CWA, the WLC does not require a local web-auth certificate, only one certificate is needed on the central web portal, and requires a central authentication server, such as ISE.


MHM

0 Helpful

Go to solution
dhikra-marghli8
Level 1
Level 1
In response to MHM Cisco World

‎01-04-2024 01:00 AM

what is the proxy relationship with  Preauthentication ACL "  in the wlc   ?? 

and  please what's  the relationship DNS  with  Preauthentication ACL ??

i wait a reply

Thanks

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to dhikra-marghli8

‎01-04-2024 08:45 AM

Hello @dhikra-marghli8 

In this context of Cisco WLC,  the preauthentication ACL and DNS serve different purposes but they can be related in certain scenarios.

The preauthentication AcL is used to filter traffic before a client completes the full authentication process. It is applied during the preauthentication phase, allowing the WLC to filter traffic based on certain criteria before granting full network access to the client.

The preautent ACL doesn't have a direct proxy relationship. It primarily deal with filtering traffic based on IP addresses, protocols, or port numbers during the early stages of client association.

DNS is crucial for resolving domain names to IP addresses, and it plays a role in how clients connect to resources on the network. In a wireless environment, DNS might be involved when clients attempt to resolve domain names for the services they are trying to access.

If a preauth ACL is configured to filter traffic based on IP addresses or domains, DNS resolution could be affected. For example, if the preauth ACL blocks access to specific domains or IP addresses, DNS requests for those domains might not succeed, impacting the client's ability to connect to certain resources.

It's very important to carefully design and configure the preauth ACL to avoid unintended consequences. If DNS filtering is required for security or policy reasons, it should be included in the ACL with a clear understanding of how it might impact DNS resolution.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
MHM Cisco World
VIP
VIP
In response to dhikra-marghli8

‎01-04-2024 09:16 AM

There are two secuirty in wireless 

One is l2 secuirty 

Other is l3 secuirty 

From name l3 secuirty work in l3 layer 

This make wifi client need IP to auth itself to wlc via web.

So we need preauth to make wifi client get IP from dhcp server 

Now after wifi client get IP the wifi client try to connect to any http website and this need dns so wifi send dns requests' and hence we need to allow dns via preauth acl.

After that the wlc redirect the traffic from wifi client to website to it page (lwa) or ise page (cwa)

Here the wifi client see web auth page' and after enter username and password and success auth it can access internet normally.

MHM

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card