Hi,
I'm trying to set up a wireless network for guest wiht an external captive portal. Guest user should be able to log in using facebook an linkedin, so I'm trying to permit facebook and linkedin in the initial role using dpi acl. the role config is the following:
user-role PRUEBA-DPI-LOGON-USERROLE
bw-contract LOGON-UP-BW per-user upstream
bw-contract LOGON-DW-BW per-user downstream
reauthentication-interval 1
captive-portal "PRUEBA-DPI-CPORTAL"
registration
web-cc disable
access-list session global-sacl
access-list session apprf-PRUEBA-DPI-LOGON-USERROLE-sacl
access-list session PRUEBA-DPI-ACL
access-list session captiveportal
the dpi ACL:
ip access-list session PRUEBA-DPI-ACL
any any app facebook permit
any any app linkedin permit
any any app facebook-apps permit
my problem is the following: no matter the position of the ACL, PRUEBA-DPI-ACL, if the guest user tries to reach facebook or linkdin is redirected to the captive portal. (actually recieve a certificate error, but this is a normal behavior)
captive portal ACL:
ip access-list session captiveportal
user alias controller svc-https dst-nat 8081 log
user any svc-http dst-nat 8080 log
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
If i remove the following statement from the captive portal acl, then users can reach facebook and linkedin:
no user any svc-https dst-nat 8081
So my thought is for some reason https redirection rule under captive portal acl, is taking preference to dpi acl, no matter the position of the dpi ACL.
I have tried to config the app rules under the global-sacl without luck, same behavior, if i have https redirection under captive portal acl, user can not reach facebook or linkedin.
ip access-list session global-sacl
any any app facebook permit
any any app facebook-apps permit
any any app linkedin permit
Is there any way, to achieve what i want?
I need to keep https redirection for everything except facebook and linkedin, and permit this apps and websites. other https site should be redirected.
Thanks for your help!