12-29-2013 12:28 AM - edited 07-04-2021 11:51 PM
Hello,
I'm doing some experiment on a test SSID to configure ACL for limited resources on our Wired/Wireless network.
I'm/using and I would like to use Web Authentication page. I have created an ACL under Access Control List namely, ICT. With this, I have created an ACL rules as follows;
Seq Action Source IP/Mask Destination IP/Mask Protocol Source Port Dest Port DSCP Direction Number of Hits
1 Permit 1.1.1.1 / 32 0.0.0.0 /0.0.0.0 TCP Any Any Any Outbound
2 Permit 0.0.0.0 / 32 1.1.1.1 /32 TCP Any Any Any Inbound
3 Permit 0.0.0.0 / 32 192.168.10.190 /32 UDP DNS Any Any Inbound
4 Permit 192.168.10.190/32 0.0.0.0 /0.0.0.0 UDP DNS Any Any Outbound
5 Permit 0.0.0.0 / 32 Proxy-vIP /32 Any Any Any Any Inbound
6 Permit Proxy-vIP / 32 0.0.0.0 /0.0.0.0 Any Any Any Any Outbound
The authentication page comes fine, but as soon as I entered the username and password correctly, the page it doesn't redirect and IE error shows The Page cannot be displayed.
In the Edit Page of the WLAN ->Security -> Layer 3, I have selected the Preauthentication ACL as ICT, but still I can't browse the Internet..
Any help, highly appreciated.
Regards,
12-29-2013 01:19 AM
Hi,
I have changed the Rule of the Proxy to point to the proxy port itself, but still it doesn't work;
Seq Action Source IP/Mask Destination IP/Mask Protocol Source Port Dest Port DSCP Direction Number of Hits
1 Permit 1.1.1.1 / 32 0.0.0.0 /0.0.0.0 TCP Any Any Any Outbound
2 Permit 0.0.0.0 / 32 1.1.1.1 /32 TCP Any Any Any Inbound
3 Permit 0.0.0.0 / 32 192.168.10.190 /32 UDP DNS Any Any Inbound
4 Permit 192.168.10.190/32 0.0.0.0 /0.0.0.0 UDP DNS Any Any Outbound
5 Permit 0.0.0.0 / 32 Proxy-vIP /32 TCP 8080 Any Any Inbound
6 Permit Proxy-vIP / 32 0.0.0.0 /0.0.0.0 TCP 8080 Any Any Outbound
12-29-2013 05:46 AM
Hello, yes it works without Proxy fine as we just configured PBR for WebSense..
is there any way to configure Auth-ACL ?
12-29-2013 05:41 AM
Does it work without ACL?
Did you enter the right proxy settings in your browser to be sure?
---
Posted by WebUser Erik Boss from Cisco Support Community App
12-29-2013 06:18 AM
If you are looking to limit resources, why do it as a pre auth ACL? Just use a normal ACL linked to the interface to allow what the users can have access to.
Pre auth ACL are to allow the user to do something prior to them authenticating. Like reach an external web server
Steve
Sent from Cisco Technical Support iPhone App
12-29-2013 08:42 AM
Hello,
The purpose of this to have three separate SSIDs, each will have access to different resources. I have created one Ssid for testing and experimenting. I've just started creating ACLs and linked them to the Interface and to the SSID as well and I'm facing this issue as the client that connected to the same SSID cannot access the Internet.
Other ACLs such as DHCP and ICMP ping are working fine.. I have managed to create a rule to allow the client reaching the Authentication page, but when Username and password supplied, the page doesn't redirect to the external destination.
Any help?
12-29-2013 10:08 AM
I'm a few beers into the holiday week..
But, dhcp will always work because the wlc ACL doesn't and can't block broadcast and multicast traffic.
That traffic flows regardless. When you use proxy does the packets get written to the proxy server ? For giggles do a permit any any in line 7 ..
As Steve mentioned the preauth ACL is used for different purposes not what you are trying to do ..
Sent from Cisco Technical Support iPad App
12-29-2013 10:07 AM
and to block the data directly... Your option is also possible steprodr. But you're using the wireless network and then blocks it. Wasting your wireless bandwidth.
---
Posted by WebUser Erik Boss from Cisco Support Community App
12-29-2013 10:20 AM
Could you plz elaborate? Where to block it then? At core switch level?
Sent from Cisco Technical Support Android App
12-29-2013 09:44 PM
Hello,
I think, this document is the one which I suppose to follow;
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080c02f1e.shtml
Let me see how this can be done and I will update you guys.
Regards,
12-29-2013 10:45 PM
Hello,
The Web Authentication proxy is for organizations who is having Explicit proxy in their browsers and want to implement Authentication Page from WLC. Sorry, this solution is not for what I'm intended to do.
I have created a test ACL as below and the internet started working, but this rule is nothing actually, becuase I started reaching everything on other vLANs.
| |||||
|
|
| |||||
| |||
| |||
|
12-29-2013 11:52 PM
Hello,
I have installed WireSharek on the testing machine to test what's going on when an ACL is applied having limited ports to destination and with an ACL having;
Source = Any
Destination = Any
Protocol = Any
DSCP = Any
Direction = Any
Action = Permit
When this ACL is applied, the client immeditly reached the proxy and presented with the prompt authentication page.
In the wireshark, I can see Source port 54492 Dst port http-alt 8080 from the client IP address to the Proxy WebSense on the physical interface not the virtual interface.
Any thing can be done on this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide