DNS-Based Access Control Lists

DNS-based access control lists

A DNS-based access control list is a wireless network security feature that

  • allows administrators to permit or deny wireless client access to resources based on DNS domain names

  • dynamically learns allowed or denied IP addresses through DNS snooping on access points, and

  • enables pre-authentication and post-authentication URL filtering for enhanced client security.

DNS-based ACLs are used for wireless client devices. You can set pre-authentication ACLs on the Cisco Catalyst 9800 Series Wireless Controller to determine which data requests are allowed or blocked.

To enable DNS-based ACLs on the controller, configure the allowed or denied URLs for the ACLs. The URLs need to be pre-configured on the ACL.

During the registration phase, DNS-based ACLs allow the client to connect to the configured URLs. The controller is configured with the ACL name provided by the AAA server. If the AAA server returns the ACL name, the controller applies the ACL to the client for web redirection.

During client authentication, the AAA server returns the pre-authentication ACL (url-redirect-acl), which is the attribute name assigned to the ACL by the AAA server. The AP performs DNS snooping for each client until registration is complete and the client reaches the SUPPLICANT PROVISIONING state. When the controller receives the ACL configured with URLs, it sends a CAPWAP payload to the access point to enable DNS snooping for those URLs.

After URL snooping is enabled, the access point learns the IP address of the resolved domain name from the DNS response. If the domain name matches the configured URL, the access point parses the DNS response for the IP address and sends the IP address to the controller as a CAPWAP payload. The controller adds the IP address to the allowed list, which enables the client to access the configured URLs.

URL filtering allows access to the IP address for DNS ports 80 or 443.

During pre-authentication or post-authentication, the DNS ACL is applied to the client in the AP. If the client roams from one AP to another AP, tthe DNS-learned IP addresses from the previous access point remain valid on the new AP.


Note

Standard URL filtering is used for local mode, whereas enhanced URL filtering is used for FlexConnect local switching.

Note

Attach the URL filter to a policy profile for local mode. In FlexConnect mode, attach the URL filter to the flex profile; attaching it to a policy profile is not required.


Note

DNS-based URLs require an active DNS query from the client. For URL filtering to work, configure DNS settings correctly.

Note

The URL filter takes precedence over punt or redirect ACLs, as well as custom or static pre-authentication ACLs.

Define ACLs

Extended ACLs are similar to standard ACLs, but they identify traffic more precisely.

  • These commands allow you to define ACLs by name or by identification number.
    Device(config)#ip access-list extended ?
<100-199> Extended IP access-list number
<2000-2699> Extended IP access-list number (expanded range)
WORD Access-list name

  • This is the structure of a CLI ACL statement:

    <sequence number> [permit/deny] <protocol> <address or any> eq <port number> <subnet> <wildcard>

  • For example:

    1 permit tcp any eq www 192.168.1.0 0.0.0.255

The sequence number specifies where to insert the Access Control List Entry (ACE) in the order of ACEs within the ACL. You can define your statements using sequence numbers such as 10, 20, 30, 40, and so on.

The controller GUI allows you to write a complete ACL by going to the Configuration > Security > ACL page. You can view a list of protocols to choose from and make changes to an existing ACL.

Methods for applying ACLs

These are the ways to apply ACLs:

Security ACL: A security ACL defines the types of traffic to allow through the device and the types to block or drop. A security ACL can be applied in various scenarios:

  • On SVI interfaces: The ACL is evaluated only against traffic routed through the interface.
    Device(config)# interface Vlan<number>
    Device(config-if)# ip access-group myACL in/out
  • On a physical interface of the controller: The ACL is evaluated against all traffic passing through the interface. This method also restricts traffic on the controller management plane, along with SVI interface application.
    Device(config)#interface GigabitEthernet1
    Device(config-if)#ip access-group myACL in/out

In the wireless policy profile or WLAN. You can configure an ACL to apply to wireless client traffic in cases of central or local traffic switching. These ACLs are supported only in the inbound direction.

On the AP during FlexConnect local switching. The ACL is configured and applied from the policy profile on the controller. The ACL must be downloaded to the AP through the FlexConnect profile before it can be applied. Fabric mode APs in Software Defined Access also use Flex ACLs, even though these APs are not operating in FlexConnect mode.

A punt ACL or redirect ACL specifies which traffic is sent to the CPU for further processing instead of normal handling by the dataplane. For example, the Central Web Authentication (CWA) redirect ACL determines which traffic is intercepted and redirected to the web login portal. The ACL does not define traffic to drop or allow. It follows normal processing or forwarding rules and identifies what is sent to the CPU for interception.

A redirect ACL includes an implicit deny statement at the end. This security access list entry drops any traffic not explicitly allowed or sent to the CPU.

URL filters

A URL filter is a wireless network access control feature that

  • restricts access to websites based on specified URLs

  • can operate before or after client authentication, and

  • is applied together with an IP-based ACL for granular access control.

There are the two types of URL filters:

  • Standard: Standard URL filters can be applied before client authentication (pre-auth) or after a successful client authentication (post-auth). Pre-auth filters are extremely useful for external web authentication because they allow access to the external login page and some internal websites before authentication takes place. After authentication, filters can block specific websites or allow only selected websites, while all other websites are blocked by default. After authentication, this type of URL filtering can be handled more flexibly by using Cisco DNS Layer Security (formerly called Umbrella). The standard URL filters apply the same action (permit or deny) for the whole list of URLs. It is either all permit or all deny. Standard URL filters work only on local mode APs.

  • Enhanced: Enhanced URL filters allow you to specify a different action (deny or permit) for each URL in the list and include per-URL hit counters. Enhanced URL filters work only on FlexConnect mode APs.

In both types of URL filters, you can use a wildcard sub-domain such as *.cisco.com. URL filters are standalone features but are always applied together with an IP-based ACL. A maximum of 20 URLs are supported in a given URL filter. Because one URL can resolve to multiple IP addresses, each client can track up to 40 resolved IP addresses. URL filters track only DNS records. The controller or APs do not track the resolved IP address if the DNS response uses a CNAME alias record.


Note

If you have a POST-type URL filter and an ACL applied to a policy profile, the ACL blocks traffic to the URL if it does not include permit statements for the URLs. This issue can occur when the URL filter is POST with a permit statement but the ACL does not include a permit statement for the URLs. We recommend creating permit statements within the ACL for the IP addresses of the URLs rather than relying on the POST URL filter.

Restrictions on DNS-based access control lists

Restrictions for DNS-based ACLs

  • In local modes, both Pre-authentication and Post-authentication filters are supported. In Flex (Fabric) mode, only the Pre-authentication filter is supported. ACL override pushed from ISE is not supported.

  • FlexConnect Local Switching with External Web authentication, using URL filtering, is not supported until Cisco IOS XE Gibraltar 16.12.x.

  • Fully qualified domain name (FQDN) ACLs and DNS-based ACLs are not supported on Cisco Wave 1 Access Points.

  • The URL filter considers only the first 20 URLs, though you can add more. It uses regular regex patterns and permits wildcard characters only at the beginning or at the end of an URL. URL ACLs are defined and added to the FlexConnect policy profile, which is then associated with a WLAN. URL ACL creation follows a mechanism similar to local mode URL ACLs.

  • In FlexConnect mode, the URL domain ACL works only when it is connected to a FlexConnect policy profile. The ACL can be attached to a WLAN by associating the policy profile with either the WLAN or local policies. However, you can override it using 'url-redirect-acl'. When the Cisco AV pair is received from ISE, the required policy for a client is pushed as part of the ADD MOBILE message.

  • When an AP joins or when an existing URL ACL is modified and applied to a FlexConnect profile, the ACL definition, along with the mapped URL filter list, is pushed to the AP. The AP stores the URL ACL definition with the mapped ACL name and snoops DNS packets to learn the first IP address for each URL in the ACL. When the AP learns the IP addresses, it updates the controller of the URL and IP bindings. The controller records this information in the client database for future use.

  • When a client roams to another AP during the pre-authentication state, the learned IP addresses are pushed to a new AP. Otherwise, these learned IP addresses are purged when a client enters the post-authentication state or when the TTL for the learned IP address expires.

Restrictions on Wildcard Support in URLs

  • The generic wildcard URL, such as *.* is not allowed.

  • Wildcards between the domain names, such as *a.cisco.com, a.cisco*.com, a.b.c.test*.apply.play are not allowed.

  • Multiple wildcards, such as test.*.cisco.*.com are not allowed in a URL.

  • The wildcard *.cisco.com is allowed in the URL.

  • The wildcard with a suffix such as wpr.cisco.* is a valid configuration.

  • A maximum of 16 wildcard-based URLs must be configured for a given ACL.

FlexConnect Mode

Define URL filter list (CLI)

Define a custom list of permitted or blocked URLs for use with FlexConnect local switching mode using commands.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the URL filter enhanced list.

Example:

Device(config)# urlfilter enhanced-list urllist_flex_preauth

Note

 

Use the urlfilter enhanced-list command only with FlexConnect local switching mode. Do not configure enhanced-list in policy profiles for local mode or FlexConnect central switching. This action may cause client connection issues.

Here, list-name refers to the URL filter list name. The list name must not exceed 32 alphanumeric characters.

Step 3

Configure the action: permit (allowed list) or deny (blocked list).

Example:

Device(config-urlfilter-enhanced-params)# url url-name preference [0-65535] action {deny | permit}

Step 4

Return to privileged EXEC mode.

Example:

Device(config-urlfilter-params)# end

Apply URL filter list to FlexConnect profile (CLI)

Use this procedure to enforce web access policies on FlexConnect APs through defined URL filter lists using commands.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Create a new flex policy.

Example:

Device(config)# wireless profile flex default-flex-profile

Step 3

Configure ACL policy.

Example:

Device(config-wireless-flex-profile)# acl-policy acl_name

Step 4

Apply the URL list to the Flex profile.

Example:

Device(config-wireless-flex-profile-acl)# urlfilter list urllist_flex_preauth

Step 5

Return to privileged EXEC mode.

Example:

Device(config-wireless-flex-profile-acl)# end

Configure ISE for central web authentication (GUI)

Perform these steps to configure ISE for Central Web Authentication using the GUI.

Procedure

Step 1

Login to the Cisco Identity Services Engine (ISE). Click Policy and then click Policy Elements. Click Results.

Step 2

Expand Authorization and click Authorization Profiles.

Step 3

Click Add to create a new authorization profile for URL filter.

Step 4

Enter a name for the profile in the Name field. For example, CentralWebauth.

Step 5

Select ACCESS_ACCEPT option from the Access Type drop-down list. Alternatively, in the Common Tasks section, check Web Redirection.

Step 6

Select the Centralized Web Auth option from the drop-down list. Specify the ACL and select the ACL value from the drop-down list.

Step 7

In the Advanced Attributes Setting section, select Cisco:cisco-av-pair from the drop-down list.

Note

 

Multiple ACL can be applied on the controller based on priority. In L2 Auth + webauth multi-auth scenario, if the ISE returns ACL during L2 Auth then ISE ACL takes precedence over the default webauth redirect ACL. This leads to traffic running in webauth pending state, if ISE ACL has permit rule. To avoid this scenario, you need to set the precedence for L2 Auth ISE returned ACL. The default webauth redirect ACL priority is 100. To avoid traffic issue, you need to configure the redirect ACL priority above 100 for ACL returned by ISE.

Step 8

Enter these one by one and click (+) icon after each of them:

  • url-redirect-acl=<sample_name>

  • url-redirect=<sample_redirect_URL>

    For example, 
    Cisco:cisco-av-pair = priv-lvl=15
Cisco:cisco-av-pair = url-redirect-acl=ACL-REDIRECT2
Cisco:cisco-av-pair = url-redirect=
https://9.10.8.247:port/portal/gateway?
sessionId=SessionIdValue&portal=0ce17ad0-6d90-11e5-978e-005056bf2f0a&daysToExpiry=value&action=cwa

Step 9

Verify contents in the Attributes Details section and click Save.

Local Mode

Define URL filter list (CLI)

Configure a URL filter list to control access to specific web resources by creating an allowed or blocked list, setting redirect servers, and applying actions for post-authentication filtering using commands.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the URL filter list.

Example:

Device(config)# urlfilter list urllist_local_preauth

Here, list-name refers to the URL filter list name. The list name must not exceed 32 alphanumeric characters.

Step 3

Configure the action: permit (allowed list) or deny (blocked list).

Example:

Device(config-urlfilter-params)# action permit

Step 4

Configure the URL list as post-authentication filter.

Example:

Device(config-urlfilter-params)# filter-type post-authentication

Note

 

This step is applicable while configuring post-authentication URL filter only.

Step 5

Configure the IPv4 redirect server for the URL list.

Example:

Device(config-urlfilter-params)# redirect-server-ipv4 192.0.2.1

Here, IPv4-address refers to the IPv4 address.

Step 6

Configure the IPv6 redirect server for the URL list.

Example:

Device(config-urlfilter-params)# redirect-server-ipv6 2001:DB8::82

Here, IPv6-address refers to the IPv6 address.

Step 7

Configure an URL.

Example:

Device(config-urlfilter-params)# url url1.dns.com

Here, url refers to the name of the URL.

Step 8

Return to privileged EXEC mode.

Example:

Device(config-urlfilter-params)# end

Apply URL filter list to policy profile (GUI)

Assign URL filters to a policy profile to manage and restrict user web access using the GUI.

Procedure

Step 1

Choose Configuration > Tags & Profiles > Policy.

Step 2

Click on the Policy Name.

Step 3

Go to Access Policies tab.

Step 4

In the URL Filters section, select the filters from the Pre Auth and Post Auth drop-down lists.

Step 5

Click Update & Apply to Device.

Apply URL filter list to policy profile (CLI)

Restrict or permit user access to network resources by applying specific URL filter lists to a designated policy profile using commands.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Configure wireless policy profile.

Example:

Device(config)# wireless profile policy default-policy-profile

Here, profile-policy refers to the name of the WLAN policy profile.

Step 3

Apply the URL list to the policy profile.

Example:

Device(config-wireless-policy)# urlfilter list pre-auth-filter urllist_local_preauth
Device(config-wireless-policy)# urlfilter list post-auth-filter urllist_local_postauth

Here, name refers to the name of the pre-authentication or post-authentication URL filter list configured earlier.

Note

 

When a client joins, the policy’s configured URL filter applies to the client.

Step 4

Return to the privileged EXEC mode.

Example:

Device(config-wireless-policy)# end

Configuring ISE for Central Web Authentication

Create authorization profiles (GUI)

Define authorization profiles that control network access through URL filters using the GUI.

Procedure

Step 1

Login to the Cisco Identity Services Engine (ISE). Click Policy, and click Policy Elements.

Step 2

Click Results.

Step 3

Expand Authorization, and click Authorization Profiles.

Step 4

Click Add to create a new authorization profile for URL filter.

Step 5

In the Name field, enter a name for the profile. For example, CentralWebauth.

Step 6

Select ACCESS_ACCEPT from the access type drop-down list.

Step 7

In the Advanced Attributes Setting section, select Cisco:cisco-av-pair from the drop-down list.

Step 8

Enter these parameters one by one and click (+) icon after each of them:

  • url-filter-preauth=<preauth_filter_name>

  • url-filter-postauth=<postauth_filter_name>

For example,


Cisco:cisco-av-pair = url-filter-preauth=urllist_pre_cwa
Cisco:cisco-av-pair = url-filter-postauth=urllist_post_cwa

Step 9

Verify contents in the attributes details section and click Save.

Map authorization profiles to authentication rule (GUI)

Define rules that determine how authentication requests are processed by mapping authorization profiles to authentication criteria in the Policy interface using the GUI.

Procedure

Step 1

In the Policy > Authentication page, click Authentication.

Step 2

Enter a name for your authentication rule.

For example, MAB.

Step 3

In the If condition field, select the plus (+) icon.

Step 4

Choose Compound condition , and choose WLC_Web_Authentication.

Step 5

Click the arrow located next to and ... in order to expand the rule further.

Step 6

Click the + icon in the Identity Source field, and choose Internal endpoints.

Step 7

Select Continue from the 'If user not found' drop-down list.

This option allows a device to be authenticated even if its MAC address is not known.

Step 8

Click Save.

Map authorization profiles to authorization rule (GUI)

Map an authorization profile to an authorization rule to control network access permissions based on selected identity and condition attributes using the GUI.

Procedure

Step 1

Click Policy > Authorization. In the Rule Name field, enter a name.

For example, CWA Post Auth.

Step 2

In the Conditions field, select the plus (+) icon.

Step 3

Select the Identity Groups area to view from the drop-down list. Choose User Identity Groups > user_group.

Step 4

Click the plus (+) sign located next to and ... in order to expand the rule further.

Step 5

In the Conditions field, select the plus (+) icon. Choose Compound Conditions, and choose to create a new condition.

Step 6

From the settings icon, select Add Attribute/Value from the options.

Step 7

In the Description field, select Network Access > UseCase as the attribute from the drop-down list. Choose the Equals operator.

Step 8

From the right-hand field, choose GuestFlow.

Step 9

In the Permissions field, select the plus (+) icon to select a result for your rule.

You can choose Standard > PermitAccess option or create a custom profile to return the attributes that you like.

View DNS-based access control lists

To view details of a specified wireless URL filter, use this command:

Device# show wireless urlfilter details <urllist_flex_preauth>

To view the summary of all wireless URL filters, use this command:

Device# show wireless urlfilter summary

To view the URL filter applied to the client in the resultant policy section, use this command:

Device# show wireless client mac-address <MAC_addr> detail

Configuration examples for DNS-based access control lists

FlexConnect Mode

Example: Defining URL Filter List

This example shows how to define URL list in FlexConnect mode:


Device# configure terminal
Device(config)# urlfilter enhanced-list urllist_flex_pre
Device(config-urlfilter-params)# url www.dns.com preference 1 action permit
Device(config-urlfilter-params)# end
Example: Applying URL Filter List to Flex Profile

This example shows how to apply an URL list to the FlexConnect profile in FlexConnect mode:


Device# configure terminal
Device(config)# wireless profile flex default-flex-profile
Device(config-wireless-flex-profile)# acl-policy acl_name
Device(config-wireless-flex-profile-acl)# urlfilter list urllist_flex_preauth
Device(config-wireless-flex-profile-acl)# end

Local Mode

Example: Defining Preauth URL Filter List

This example shows how to define URL filter list (pre-authentication):


Device# configure terminal
Device(config)# urlfilter list urllist_local_preauth
Device(config-urlfilter-params)# action permit
Device(config-urlfilter-params)# redirect-server-ipv4 9.1.0.101
Device(config-urlfilter-params)# redirect-server-ipv6 2001:300:8::82
Device(config-urlfilter-params)# url url1.dns.com
Device(config-urlfilter-params)# end
Example: Defining Postauth URL Filter List

This example shows how to define URL filter list (post-authentication):


Device# configure terminal
Device(config)# urlfilter list urllist_local_postauth
Device(config-urlfilter-params)# action permit
Device(config-urlfilter-params)# filter-type post-authentication
Device(config-urlfilter-params)# redirect-server-ipv4 9.1.0.101
Device(config-urlfilter-params)# redirect-server-ipv6 2001:300:8::82
Device(config-urlfilter-params)# url url1.dns.com
Device(config-urlfilter-params)# end
Example: Applying URL Filter List to Policy Profile

This example shows how to apply an URL list to the policy profile in local mode:


Device# configure terminal
Device(config)# wireless profile policy default-policy-profile
Device(config-wireless-policy)# urlfilter list pre-auth-filter urllist_local_preauth
Device(config-wireless-policy)# urlfilter list post-auth-filter urllist_local_postauth
Device(config-wireless-policy)# end

Verify DNS snoop agent (DSA)

To view details of the DNS snooping agent client, use this command:

Device# show platform hardware chassis active qfp feature dns-snoop-agent client

To view details of the DSA enabled interface, use this command:

Device# show platform hardware chassis active qfp feature dns-snoop-agent client enabled-intf

To view the pattern list in uCode memory, use this command:

Device# show platform hardware chassis active qfp feature dns-snoop-agent client hw-pattern-list

To view the OpenDNS string for the pattern list, use this command:

Device# show platform hardware chassis active qfp feature dns-snoop-agent client hw-pattern-list odns_string

To view the FQDN filter for the pattern list, use this command:

Device# show platform hardware chassis active qfp feature dns-snoop-agent client hw-pattern-list fqdn-filter <fqdn_filter_ID>

Note

The valid range of fqdn_filter_ID is from 1 to 16.

To view details of the DSA client, use this command:

Device# show platform hardware chassis active qfp feature dns-snoop-agent client info

To view the pattern list in CPP client, use this command:

Device# show platform hardware chassis active qfp feature dns-snoop-agent client pattern-list

To view the OpenDNS string for the pattern list, use this command:

Device# show platform hardware chassis active qfp feature dns-snoop-agent client pattern-list odns_string

To view the FQDN filter for the pattern list, use this command:

Device# show platform hardware chassis active qfp feature dns-snoop-agent client pattern-list fqdn-filter <fqdn_filter_ID>

Note

The valid range of fqdn_filter_ID is from 1 to 16.

To view details of the DSA datapath, use this command:

Device# show platform hardware chassis active qfp feature dns-snoop-agent datapath

To view details of the DSA IP cache table, use this command:

Device# show platform hardware chassis active qfp feature dns-snoop-agent datapath ip-cache

To view details of the DSA address entry, use this command:

Device# show platform hardware chassis active qfp feature dns-snoop-agent datapath ip-cache address {ipv4 <IPv4_addr> | ipv6 <IPv6_addr>}

To view details of all the DSA IP cache address, use this command:

Device# show platform hardware chassis active qfp feature dns-snoop-agent datapath ip-cache all

To view details of the DSA IP cache pattern, use this command:

Device# show platform hardware chassis active qfp feature dns-snoop-agent datapath ip-cache pattern <pattern>

To view details of the DSA datapath memory, use this command:

Device# show platform hardware chassis active qfp feature dns-snoop-agent datapath memory

To view the DSA regular expression table, use this command:

Device# show platform hardware chassis active qfp feature dns-snoop-agent datapath regexp-table

To view the DSA statistics, use this command:

Device# show platform hardware chassis active qfp feature dns-snoop-agent datapath stats

FlexConnect client IPv6 support with WebAuth pre and post ACL

A WebAuth IPv6 ACL is an access control mechanism that

  • enables an access point to enforce web authentication policies for IPv6 client traffic

  • uses IOS IPv6 ACL definitions that are pushed to the AP in response to join events or policy changes, and

  • differentiates pre-authentication and post-authentication access by assigning default or custom ACLs.

A change in the ACL policies of the FlexConnect profile can include adding a new ACL, deleting an ACL, or modifying an existing ACL.

ACL definitions are pushed to AP when any of these events occur:

  • AP join.

  • New ACL mapping in a new FlexConnect profile.

  • Configuring IPv6 ACL definition in FlexConnect profile.

Default Local Web Authentication ACLs

The pre-defined default LWA IPv6 ACL is pushed to AP and assigned to the data plane.

Default External Web Authentication ACL

The default EWA ACLs are derived from the redirect portal address configured in the parameter map.

The types of default EWA ACLs include:

  • Security ACL which is pushed and assigned to the AP.

  • Intercept ACL which is pushed and assigned to the data plane.

FQDN ACL

  • FQDN ACL is encoded along with IPv6 ACL and sent to AP.

  • FQDN ACL is always a custom ACL.

These applies to FlexConnect and Local mode:

  • If you are migrating from AireOS, you would explicitly need to execute these commands:

    redirect append ap-mac tag ap_mac
    redirect append wlan-ssid tag wlan
    redirect append client-mac tag client_mac

  • If the login page has any resource that needs to be fetched from the server, you will need to include those resource URLs in URL filtering.

  • If you are trying to access an IPv6 URL and you have an IPv4 web server, the controller redirects the client to an internal page. Domain redirection is not supported in this context. It is recommended to have a dual-stack web server and configure virtual IPv6 address in the global parameter map.

Enable pre-authentication ACL for LWA and EWA (GUI)

Allow or restrict traffic before authentication on specified WLANs using the GUI.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

Click Add.

Step 3

In the General tab, enter the Profile Name, the SSID and the WLAN ID.

Step 4

Choose Security > Layer2 tab. Uncheck the WPAPolicy, AES and 802.1x check boxes.

Step 5

Choose Security > Layer3 tab. Select the Web Auth Parameter Map from the Web Auth Parameter Map drop-down list and authentication list from the Authentication List drop-down list.

Step 6

Click Show Advanced Settings and under the Preauthenticated ACL settings, and select the IPv6 ACL from the IPv6 drop-down list.

Step 7

Choose Security > AAA tab. Select the authentication list from the Authentication List drop-down list.

Step 8

Click Apply to Device.

Enable pre-authentication ACL for LWA and EWA (CLI)

Configure pre-authentication access control for WLAN client web authentication scenarios using commands.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Enter the WLAN configuration sub-mode.

Example:

Device(config)# wlan wlan-demo 1 ssid-demo

  • wlan-name: Enter the profile name. The range is from 1 to 32 alphanumeric characters.

  • wlan-id: Enter the WLAN ID. The range is from 1 to 512.

  • SSID-name: Enter the Service Set Identifier (SSID) for this WLAN. If the SSID is not specified, the WLAN profile name is set as the SSID.

    Note

     

    If you have already configured WLAN, enter wlan wlan-name command.

Step 3

Create a pre-authentication ACL for web authentication and disable the WPA security.

Example:

Device(config-wlan)# ipv6 traffic-filter web preauth_v6_acl
Device(config-wlan)# no security wpa

Step 4

Disable WPA2 ciphers for AES.

Example:

Device(config-wlan)#no security wpa wpa2 ciphers aes

Step 5

Disable security AKM for dot1x.

Example:

Device(config-wlan)#no security wpa akm dot1x

Step 6

Configure web authentication.

Example:

Device(config-wlan)# security web-auth

Step 7

Enable authentication list for WLAN.

Example:

Device(config-wlan)# security web-auth authentication-list wcm_dot1x

Step 8

Map the parameter map.

Example:

Device(config-wlan)# security web-auth parameter-map param-custom-webconsent

Step 9

Shutdown the WLAN.

Example:

Device(config-wlan)# no shutdown

Enable post-authentication ACL for LWA and EWA (GUI)

Enable post-authentication access control for LWA and EWA WLANs to enforce security policies after successful user authentication using the GUI.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

Click Add.

Step 3

In the General tab, enter the Profile Name. The Profile Name is the profile name of the policy profile.

Step 4

Enter the SSID and the WLAN ID.

Step 5

Click Apply to Device.

Enable post-authentication ACL for LWA and EWA (CLI)

Configure security policies that restrict client access after authentication using commands.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Create policy profile for the WLAN.

Example:

Device(config)# wireless profile policy test1

The profile-name is the profile name of the policy profile.

Step 3

Create a named WLAN ACL.

Example:

Device(config-wireless-policy)# ipv6 acl testacl

Step 4

Return to the privileged EXEC mode.

Example:

Device(config-wireless-policy)# end

Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Enable DNS ACL for LWA and EWA (GUI)

Enable DNS-based access control for LWA and EWA WLANs by configuring the required settings using the GUI.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

Click Add.

Step 3

In the General tab, enter the Profile Name. The Profile Name is the profile name of the policy profile.

Step 4

Enter the SSID and the WLAN ID.

Step 5

Click Apply to Device.

Enable DNS ACL for LWA and EWA (CLI)

Enable DNS ACLs to control DNS access for WLAN policy profiles that use LWA or EWA using commands.


Note

Post-authentication DNS ACL is not supported.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Create policy profile for the WLAN.

Example:

Device(config)# wireless profile policy test1

The profile-name is the profile name of the policy profile.

Step 3

Return to the privileged EXEC mode.

Example:

Device(config)# end

Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Verify FlexConnect client IPv6 support with WebAuth pre and post ACL

To verify the client state after L2 authentication, use this command:

Device# show wireless client summary
Number of Local Clients: 1                                                                                                          
MAC Address    AP Name                          WLAN  State             Protocol Method     Role
---------------------------------------------------------------------------------------------------
1491.82b8.f8c1 AP4001.7A03.544C                 4      Webauth Pending   11n(5)   None       Local             
Number of Excluded Clients: 0

To verify the IP state, discovery, and MAC, use this command:

Device# show wireless dev da ip
IP                                          STATE       DISCOVERY   MAC
----------------------------------------------------------------------------------
15.30.0.4                                   Reachable   ARP         1491.82b8.f8c1 
2001:15:30:0:d1d7:ecf3:7940:af60            Reachable   IPv6 Packet 1491.82b8.f8c1 
fe80::595e:7c29:d7c:3c84                    Reachable   IPv6 Packet 1491.82b8.f8c1