02-14-2024 04:52 AM
We're using a 3rd party splash page for guest access. It's solely to capture name and email address.
Part of that configuration from the vendor includes a pre-authentication ACL. When the ACL is applied to the WLAN the client does not get a DHCP address. Packet capture show repeated DHCP Discover from IP 0.0.0.0 to 255.255.255.255.
Without the ACL the configuration works perfectly. The vendor mainly supports Meraki, but was successful getting it working on the 9800 before.
Here is a sanitized version.
ip access-list extended Guest-WLAN
5 permit ip any x.x.x.x 0.0.0.255 log */ acutal subnet for WLAN
10 permit udp any host 10.5.5.10 eq domain log */ DHCP server with split scope
20 permit udp any host 10.3.1.48 eq domain log */ DHCP server with split scope
30 permit ip any host 94.237.61.81 log */ 3rd party external site for splash page
40 permit udp any host 8.8.8.8 eq domain log */ for external site
50 permit udp any host 8.8.4.4 eq domain log */ for external site
60 permit udp any host 192.168.0.1 eq domain log */ built-in splash IP
70 permit udp any any range 1812 1813 log */ ports used by external page
80 permit tcp any any range 1812 1813 log */ ports used by external page
90 permit ahp any any log
I'm missing something obvious, but am blind to it now.
Thanks in advance for any help!
Solved! Go to Solution.
02-14-2024 07:54 AM - edited 02-14-2024 07:57 AM
DHCP process has 4 steps commonly referred to as DORA - https://www.geeksforgeeks.org/how-dora-works/
Step number 1 is always a broadcast 0.0.0.0 source IP to 255.255.255.255 destination so you must allow that.
Second ....
10 permit udp any host 10.5.5.10 eq domain log */ DHCP server with split scope
20 permit udp any host 10.3.1.48 eq domain log */ DHCP server with split scope
Your comments suggest you intended these to be for your DHCP but you're matching on domain (=DNS)?
Why not take a look at the guide where the standard is to allow all DNS and DHCP traffic through the pre-auth ACL:
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217457-configure-and-troubleshoot-external-web.html
alz-9800#show ip access-list
Extended IP access list WA-sec-172.16.80.8
10 permit tcp any host 172.16.80.8 eq www
20 permit tcp any host 172.16.80.8 eq 443
30 permit tcp host 172.16.80.8 eq www any
40 permit tcp host 172.16.80.8 eq 443 any
50 permit tcp any any eq domain
60 permit udp any any eq domain
70 permit udp any any eq bootpc
80 permit udp any any eq bootps
90 deny ip any any (1288 matches)
ps: you should not be logging on those ACL entries as it will cause excessive CPU.
02-14-2024 05:46 AM
- Presumably some of the ACL rules leads to the DHCP blocking ; try adding one by one to see 'where is stops' and or to identify the wrong rule ; or reverse : start with complete ACL list and remove one by one until DHCP works,
M.
02-14-2024 06:35 AM
permit udp any any range 67 68 <<- this for allow DHCP
why you use eq domain ? I dont know what meaning of this
MHM
02-14-2024 07:54 AM - edited 02-14-2024 07:57 AM
DHCP process has 4 steps commonly referred to as DORA - https://www.geeksforgeeks.org/how-dora-works/
Step number 1 is always a broadcast 0.0.0.0 source IP to 255.255.255.255 destination so you must allow that.
Second ....
10 permit udp any host 10.5.5.10 eq domain log */ DHCP server with split scope
20 permit udp any host 10.3.1.48 eq domain log */ DHCP server with split scope
Your comments suggest you intended these to be for your DHCP but you're matching on domain (=DNS)?
Why not take a look at the guide where the standard is to allow all DNS and DHCP traffic through the pre-auth ACL:
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217457-configure-and-troubleshoot-external-web.html
alz-9800#show ip access-list
Extended IP access list WA-sec-172.16.80.8
10 permit tcp any host 172.16.80.8 eq www
20 permit tcp any host 172.16.80.8 eq 443
30 permit tcp host 172.16.80.8 eq www any
40 permit tcp host 172.16.80.8 eq 443 any
50 permit tcp any any eq domain
60 permit udp any any eq domain
70 permit udp any any eq bootpc
80 permit udp any any eq bootps
90 deny ip any any (1288 matches)
ps: you should not be logging on those ACL entries as it will cause excessive CPU.
02-14-2024 11:02 AM
Thanks all for suggestions.
I did try using ports 67 and 68 instead and 53. They didn't make a difference. After trying other things, this note from the EWA configuration page was the key.
"Note: When you add the Portal IPV4 Address information it automatically adds an ACL that allows the HTTP and HTTPS traffic from the wireless clients to the external web authentication server, so you do not have to configure any extra pre-auth ACL In case you would like to allow several IP addresses or URLs, the only option is to configure a URL filter so that any IP matching given URL(s) are allowed before authentication takes place. It is not possible to statically add more than one portal IP address unless you use URL filters."
I removed this ACL and we're all set now.
Back to troubleshooting school for me.... lol
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide