Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3501
Views
0
Helpful
1
Replies

Preauthentication ACL for Web Auth

john.rossi.st
Level 1
Level 1

‎02-24-2014 12:05 PM - edited ‎07-05-2021 12:16 AM

Hi Experts,

Let's say that I want to configure a Preauthentication ACL to allow guest users to ping a server or resources on a particular subnet prior to web authentication.

If I specify the permit statement for ICMP, should I specify ANY direction or should I specify an excplicit INBOUND, then inverse OUTBOUND statement for the permission of ICMP?

i.e.

1. In & Out in PERMIT

show acl   detailed PreAuthACL

                         Source                             Destination                   Source Port  Dest Port

Index    Dir       IP Address/Netmask                 IP Address/Netmask       Prot      Range       Range    DSCP  Action        Counter

------ ---   ------------------------------- ------------------------------- ----   ----------- ----------- ----- ------- -----------

       1  In  192.168.167.0/255.255.255.0      192.168.139.10/255.255.255.255     1     0-65535       0-65535  Any Permit           0

       2 Out  192.168.139.10/255.255.255.255     192.168.167.0/255.255.255.0      1     0-65535       0-65535  Any Permit           0

       3 Any         0.0.0.0/0.0.0.0                   0.0.0.0/0.0.0.0            Any     0-65535     0-65535  Any     Deny       11677

2. ANY direction in permit

show acl detailed PreAuthACL

                         Source                             Destination                   Source Port  Dest Port

Index    Dir       IP Address/Netmask                 IP Address/Netmask       Prot      Range       Range    DSCP  Action        Counter

------ ---   ------------------------------- ------------------------------- ----   ----------- ----------- ----- ------- -----------

       1 Any  192.168.167.0/255.255.255.0    192.168.139.10/255.255.255.255       1     0-65535     0-65535  Any Permit             0

       2 Any  192.168.139.10/255.255.255.255     192.168.167.0/255.255.255.0      1     0-65535       0-65535  Any Permit           0

       3 Any         0.0.0.0/0.0.0.0                   0.0.0.0/0.0.0.0            Any     0-65535     0-65535  Any     Deny       11677


Does it matter which way I do this?

I believe both ACL's work, but it's important to identify SRC and DST in the statements.

Best Regards,

John

Labels:
0 Helpful
1 Reply 1

john.rossi.st
Level 1
Level 1

‎02-24-2014 12:31 PM

Looking at document:

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71978-acl-wlc.pdf

It says:

These are some of the rules you need to understand before you configure an ACL on the WLC:

If the source and destination are any, the direction in which this ACL is applied can be any.

If either the source or destination are not any, then the direction of the filter must be specified, and an

inverse statement in the opposite direction must be created.

The WLC's notion of inbound versus outbound is nonintuitive. It is from the perspective of the WLC

facing towards the wireless client, rather than from the perspective of the client. So, inbound direction

means a packet that comes into the WLC from the wireless client and outbound direction means a

packet that exits from the WLC towards the wireless client.

There is an implicit deny at the end of the ACL.

I assume that means that only OPTION 1 is a valid configuration. Can some help me clarify this?

Best Regards,

John

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card