Security

Hi,

I'm trying to set up a wireless network for guest wiht an external captive portal. Guest user should be able to log in using facebook an linkedin, so I'm trying to permit facebook and linkedin in the initial role using dpi acl. the role config is the following:

user-role PRUEBA-DPI-LOGON-USERROLE

bw-contract LOGON-UP-BW per-user upstream
bw-contract LOGON-DW-BW per-user downstream
reauthentication-interval 1
captive-portal "PRUEBA-DPI-CPORTAL"
registration
web-cc disable
access-list session global-sacl
access-list session apprf-PRUEBA-DPI-LOGON-USERROLE-sacl

access-list session PRUEBA-DPI-ACL
access-list session captiveportal

the dpi ACL:

ip access-list session PRUEBA-DPI-ACL
any any app facebook permit
any any app linkedin permit
any any app facebook-apps permit

my problem is the following: no matter the position of the ACL,  PRUEBA-DPI-ACL, if the guest user tries to reach facebook or linkdin is redirected to the captive portal. (actually recieve a certificate error, but this is a normal behavior)

captive portal ACL:

ip access-list session captiveportal
user alias controller svc-https dst-nat 8081 log
user any svc-http dst-nat 8080 log
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088

If i remove the following statement from the captive portal acl, then users can reach facebook and linkedin:

no user any svc-https dst-nat 8081

So my thought is for some reason https redirection rule under captive portal acl, is taking preference to dpi acl, no matter the position of the dpi ACL.

I have tried to config the app rules under the global-sacl without luck, same behavior, if i have https redirection under captive portal acl, user can not reach facebook or linkedin.

ip access-list session global-sacl
any any app facebook permit
any any app facebook-apps permit
any any app linkedin permit

Is there any way, to achieve what i want?

I need to keep https redirection for everything except facebook and linkedin, and permit this apps and websites. other https site should be redirected.

Thanks for your help!

Hi all,

Reading some documentation I have found the following:

A session entry proceeds through two phases: the application detection phase (phase 1) and the post-application detection phase (phase 2). A session ACL is applied in phase1 and in phase 2.

In phase1, if the session ACL lookup results in an L3/L4 ACE entry request, the traffic pertaining to the session is guided by this L3/L4 ACE entry. However, if the session ACL lookup results in an application/application category specific ACE entry, the enforcement is postponed until phase 2. Once the application is determined, the session ACL is re-applied with "application/application category" information to determine the final action on the traffic.

Maybe this is the root cause of the observed behavior. DPI ACL is processed in phase 2, and the other ACLs (captive portal) are processed in phase 1, so no matter if the DPI ACL is configured whith higher priority, always captive portal ACL will be processed firts

Does anybody knows if theres is any way to achieve what I want? (permit facebook app and linkedin before https redirection in captive portal acl)

Thanks for you help!