cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
778
Views
5
Helpful
1
Replies

Unable to modify 9800 External WebAuth ACL

yprasannas
Level 1
Level 1

Hello Everyone,

 

Scenario - External WebAuth server is using port 8443. In webauth parameter map -redirect url used set as https://External_WebAuth:8443/login.html

 

Two WebAuth ACLs (WA-Sec and WA-Int) are created automatically using redirect port 443 which does not work since 8443 is being used.

 

1. Inside the above ACLs I can modify 443 to 8443 but update/Apply throws below error. 

Error in Configuring ACL

CLI Line 2 no 20 CLI Line 2 CLI Line 2 Invalid input detected at marker Invalid input detected at marker.

 

Is there a way to edit the Extended ACL in CLI?

 

2.  I can create manually new ACL with port 8443. Not sure how to apply manually created ACL to SSID.

 

In the SSID - Security-Layer3- PreAuth ACL has None. Is this the place to select new ACL? Not sure to select new SEC ACL or new INT ACL.

 

Thanks for your time and inputs

 

 

1 Accepted Solution

Accepted Solutions

Grendizer
Cisco Employee
Cisco Employee

Create a new Web Auth Parameter and in advanced tab copy/paste the ISE portal link to (Redirect for log-in) feild
you can get the link from ISE Sponsored Guest Portal
Now, because ISE portal is using TCP port 8443 which is not included in the “sec” ACL, we need to allow that by creating a new pre-Auth ACL and apply it to the WLAN as below:

conf t
ip access-list extended Local-External-WebAuth
permit tcp any host ISE_IP_ADDRESS eq 8443
permit tcp host ISE_IP_ADDRESS eq 8443 any
permit tcp any any eq domain
permit udp any any eq domain
permit udp any any eq bootpc
permit udp any any eq bootps
deny ip any any
exit

And because we will use ISE to authenticate the users we have to add the below:
conf t
aaa authentication webauth default group your_group_name
exit

Note: Named Method lists is not supported for webauth

from SSID L3 check the Web Policy and select your Web Auth Parameter Map and select the Auth list as default and select the PreAuth ACL
and no need to select any AAA Auth List (802.1x authentication list name) since we already have that as “default” under the Layer3 Auth list (Webauth Authentication List Name)

The policy profile can be anything and there is no need for pre auth url.

You will see two Auth in ISE Logs:
The first one when ise validate the username/password of the user when the user typed it in ISE portal, no policy set will be used here.
The second Auth when the 9800 send the username/pass to ISE to validate those “second time” and ISE will use the policy set to validate it.

View solution in original post

1 Reply 1

Grendizer
Cisco Employee
Cisco Employee

Create a new Web Auth Parameter and in advanced tab copy/paste the ISE portal link to (Redirect for log-in) feild
you can get the link from ISE Sponsored Guest Portal
Now, because ISE portal is using TCP port 8443 which is not included in the “sec” ACL, we need to allow that by creating a new pre-Auth ACL and apply it to the WLAN as below:

conf t
ip access-list extended Local-External-WebAuth
permit tcp any host ISE_IP_ADDRESS eq 8443
permit tcp host ISE_IP_ADDRESS eq 8443 any
permit tcp any any eq domain
permit udp any any eq domain
permit udp any any eq bootpc
permit udp any any eq bootps
deny ip any any
exit

And because we will use ISE to authenticate the users we have to add the below:
conf t
aaa authentication webauth default group your_group_name
exit

Note: Named Method lists is not supported for webauth

from SSID L3 check the Web Policy and select your Web Auth Parameter Map and select the Auth list as default and select the PreAuth ACL
and no need to select any AAA Auth List (802.1x authentication list name) since we already have that as “default” under the Layer3 Auth list (Webauth Authentication List Name)

The policy profile can be anything and there is no need for pre auth url.

You will see two Auth in ISE Logs:
The first one when ise validate the username/password of the user when the user typed it in ISE portal, no policy set will be used here.
The second Auth when the 9800 send the username/pass to ISE to validate those “second time” and ISE will use the policy set to validate it.

Review Cisco Networking for a $25 gift card