Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1978
Views
2
Helpful
4
Replies

WLC 9800-L Authorization failed Failure Reason ACL Failure

Go to solution
gregclark1
Level 1
Level 1

‎02-14-2024 04:52 AM

We're using a 3rd party splash page for guest access. It's solely to capture name and email address.

Part of that configuration from the vendor includes a pre-authentication ACL. When the ACL is applied to the WLAN the client does not get a DHCP address. Packet capture show repeated DHCP Discover from IP 0.0.0.0 to 255.255.255.255.

Without the ACL the configuration works perfectly. The vendor mainly supports Meraki, but was successful getting it working on the 9800 before.

Here is a sanitized version.

 


ip access-list extended Guest-WLAN
5 permit ip any x.x.x.x 0.0.0.255 log */ acutal subnet for WLAN
10 permit udp any host 10.5.5.10 eq domain log */ DHCP server with split scope
20 permit udp any host 10.3.1.48 eq domain log */ DHCP server with split scope
30 permit ip any host 94.237.61.81 log */ 3rd party external site for splash page
40 permit udp any host 8.8.8.8 eq domain log */ for external site
50 permit udp any host 8.8.4.4 eq domain log */ for external site
60 permit udp any host 192.168.0.1 eq domain log */ built-in splash IP
70 permit udp any any range 1812 1813 log */ ports used by external page
80 permit tcp any any range 1812 1813 log */ ports used by external page
90 permit ahp any any log

I'm missing something obvious, but am blind to it now.

 

Thanks in advance for any help!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP
VIP

‎02-14-2024 07:54 AM - edited ‎02-14-2024 07:57 AM

DHCP process has 4 steps commonly referred to as DORA - https://www.geeksforgeeks.org/how-dora-works/

Step number 1 is always a broadcast 0.0.0.0 source IP to 255.255.255.255 destination so you must allow that.

Second ....
10 permit udp any host 10.5.5.10 eq domain log */ DHCP server with split scope
20 permit udp any host 10.3.1.48 eq domain log */ DHCP server with split scope
Your comments suggest you intended these to be for your DHCP but you're matching on domain (=DNS)?

Why not take a look at the guide where the standard is to allow all DNS and DHCP traffic through the pre-auth ACL:
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217457-configure-and-troubleshoot-external-web.html

alz-9800#show ip access-list
Extended IP access list WA-sec-172.16.80.8
10 permit tcp any host 172.16.80.8 eq www
20 permit tcp any host 172.16.80.8 eq 443
30 permit tcp host 172.16.80.8 eq www any
40 permit tcp host 172.16.80.8 eq 443 any
50 permit tcp any any eq domain
60 permit udp any any eq domain
70 permit udp any any eq bootpc
80 permit udp any any eq bootps
90 deny ip any any (1288 matches)

ps: you should not be logging on those ACL entries as it will cause excessive CPU.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

4 Replies 4

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎02-14-2024 05:46 AM

 

 - Presumably some  of the ACL rules leads to the DHCP blocking ; try adding one by one to see 'where is stops' and or to identify the wrong rule ; or reverse : start with complete ACL list and remove one by one until DHCP works, 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎02-14-2024 06:35 AM

permit udp any any range 67 68 <<- this for allow DHCP
why you use eq domain ? I dont know what meaning of this 
MHM

0 Helpful

Go to solution
Rich R
VIP
VIP

‎02-14-2024 07:54 AM - edited ‎02-14-2024 07:57 AM

DHCP process has 4 steps commonly referred to as DORA - https://www.geeksforgeeks.org/how-dora-works/

Step number 1 is always a broadcast 0.0.0.0 source IP to 255.255.255.255 destination so you must allow that.

Second ....
10 permit udp any host 10.5.5.10 eq domain log */ DHCP server with split scope
20 permit udp any host 10.3.1.48 eq domain log */ DHCP server with split scope
Your comments suggest you intended these to be for your DHCP but you're matching on domain (=DNS)?

Why not take a look at the guide where the standard is to allow all DNS and DHCP traffic through the pre-auth ACL:
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217457-configure-and-troubleshoot-external-web.html

alz-9800#show ip access-list
Extended IP access list WA-sec-172.16.80.8
10 permit tcp any host 172.16.80.8 eq www
20 permit tcp any host 172.16.80.8 eq 443
30 permit tcp host 172.16.80.8 eq www any
40 permit tcp host 172.16.80.8 eq 443 any
50 permit tcp any any eq domain
60 permit udp any any eq domain
70 permit udp any any eq bootpc
80 permit udp any any eq bootps
90 deny ip any any (1288 matches)

ps: you should not be logging on those ACL entries as it will cause excessive CPU.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
gregclark1
Level 1
Level 1
In response to Rich R

‎02-14-2024 11:02 AM

Thanks all for suggestions.

I did try using ports 67 and 68 instead and 53. They didn't make a difference. After trying other things, this note from the EWA configuration page was the key.

"Note: When you add the Portal IPV4 Address information it automatically adds an ACL that allows the HTTP and HTTPS traffic from the wireless clients to the external web authentication server, so you do not have to configure any extra pre-auth ACL In case you would like to allow several IP addresses or URLs, the only option is to configure a URL filter so that any IP matching given URL(s) are allowed before authentication takes place. It is not possible to statically add more than one portal IP address unless you use URL filters."

I removed this ACL and we're all set now.

Back to troubleshooting school for me.... lol

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card