hi, sorry for a long question :
We have setup a externally hosted captive portal with Radius authentication using campus WLAN wizard.
We have 512AP pfeng firewall installed, and a few domains are whitelisted as a pefng firewall Destination with that destination whitelisted under L3 authorization tab for the captive portal profile.
The whitelisted domains consists of facebook.com, twitter.com, twimg.com, fbcdn.net .. etc common social media sites.
Our WiFi clients are being served splash page, but can only go to facebook.com to complete the authentication if we add "src-https" (which just allows all port 443 to go through) to the AAA pre authentication user role. This unfortunately enables all HTTPS access. If we do not add "src-https" to the pre authentication user role's access control list, the client cannot be forwarded to facebook.com, twitter.com (page load dropped or timedout) even though it is allowed as a whitelisted destionation under L3 authentication.
We have also tried to create an inverted firewall destination rule, which will reject https traffic to all domains other than facebook.com, fbcdn.net, akamaihd.net .. e.g the domains necessary for facebook login . This also does not work. Without completing the authentication , the client can still access https resources such as https://youtube.com/ as long as the svc-https rule is there (which is needed for them to go onto facebook.com to complete sign in)
We have tried putting the access rule before, after, svc-https, does not change a thing, domain whitelisting is not working.
The situation is as if pefng Destination domains are being ignored , even though we have definitely specified it under AAA pre auth role.
If we allow all https communication to go through, the clients can authenticate properly with facebook, with the correct RADIUS authentication following after that, and everything works. The only isssue we have is we have to allow all HTTPS communication in order for th e client to go to external social media sites. pefng based domain whitelisting is being ignored.
we have setup very similar setup before also using the campus WLAN wizard, and we did not have any problem back then. This current setup is behind a switch and all clients are being assigned to vlan id 500. Not sure if that changes anything, but as long as we enable all https communication, everything works.
Is there some other settings we are missing in order to make the controller apply domain based Destionation whitelist. We see the first access role created by the controller already whitelists http/https traffic to the whitelisted domain that we have under stateful firewall -> Destination.
It seems, access role is only applying ip,port based whitelisting rather than domain based whitelisting.
thanks