04-27-2021 08:28 PM - edited 07-05-2021 01:14 PM
Hello Everyone,
Scenario - External WebAuth server is using port 8443. In webauth parameter map -redirect url used set as https://External_WebAuth:8443/login.html
Two WebAuth ACLs (WA-Sec and WA-Int) are created automatically using redirect port 443 which does not work since 8443 is being used.
1. Inside the above ACLs I can modify 443 to 8443 but update/Apply throws below error.
CLI Line 2 no 20 CLI Line 2 CLI Line 2 Invalid input detected at marker Invalid input detected at marker.
Is there a way to edit the Extended ACL in CLI?
2. I can create manually new ACL with port 8443. Not sure how to apply manually created ACL to SSID.
In the SSID - Security-Layer3- PreAuth ACL has None. Is this the place to select new ACL? Not sure to select new SEC ACL or new INT ACL.
Thanks for your time and inputs
Solved! Go to Solution.
04-27-2021 09:15 PM
Create a new Web Auth Parameter and in advanced tab copy/paste the ISE portal link to (Redirect for log-in) feild
you can get the link from ISE Sponsored Guest Portal
Now, because ISE portal is using TCP port 8443 which is not included in the “sec” ACL, we need to allow that by creating a new pre-Auth ACL and apply it to the WLAN as below:
conf t
ip access-list extended Local-External-WebAuth
permit tcp any host ISE_IP_ADDRESS eq 8443
permit tcp host ISE_IP_ADDRESS eq 8443 any
permit tcp any any eq domain
permit udp any any eq domain
permit udp any any eq bootpc
permit udp any any eq bootps
deny ip any any
exit
And because we will use ISE to authenticate the users we have to add the below:
conf t
aaa authentication webauth default group your_group_name
exit
Note: Named Method lists is not supported for webauth
from SSID L3 check the Web Policy and select your Web Auth Parameter Map and select the Auth list as default and select the PreAuth ACL
and no need to select any AAA Auth List (802.1x authentication list name) since we already have that as “default” under the Layer3 Auth list (Webauth Authentication List Name)
The policy profile can be anything and there is no need for pre auth url.
You will see two Auth in ISE Logs:
The first one when ise validate the username/password of the user when the user typed it in ISE portal, no policy set will be used here.
The second Auth when the 9800 send the username/pass to ISE to validate those “second time” and ISE will use the policy set to validate it.
04-27-2021 09:15 PM
Create a new Web Auth Parameter and in advanced tab copy/paste the ISE portal link to (Redirect for log-in) feild
you can get the link from ISE Sponsored Guest Portal
Now, because ISE portal is using TCP port 8443 which is not included in the “sec” ACL, we need to allow that by creating a new pre-Auth ACL and apply it to the WLAN as below:
conf t
ip access-list extended Local-External-WebAuth
permit tcp any host ISE_IP_ADDRESS eq 8443
permit tcp host ISE_IP_ADDRESS eq 8443 any
permit tcp any any eq domain
permit udp any any eq domain
permit udp any any eq bootpc
permit udp any any eq bootps
deny ip any any
exit
And because we will use ISE to authenticate the users we have to add the below:
conf t
aaa authentication webauth default group your_group_name
exit
Note: Named Method lists is not supported for webauth
from SSID L3 check the Web Policy and select your Web Auth Parameter Map and select the Auth list as default and select the PreAuth ACL
and no need to select any AAA Auth List (802.1x authentication list name) since we already have that as “default” under the Layer3 Auth list (Webauth Authentication List Name)
The policy profile can be anything and there is no need for pre auth url.
You will see two Auth in ISE Logs:
The first one when ise validate the username/password of the user when the user typed it in ISE portal, no policy set will be used here.
The second Auth when the 9800 send the username/pass to ISE to validate those “second time” and ISE will use the policy set to validate it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide