The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This feature helps you to add specific URLs to allowed list on the controller or the AP so that those specific URLs are available for use, even when there is no connectivity to the internet. You can add URLs to allowed list for web authentication of captive portal and walled garden. Authentication is not required to access the allowed list of URLs. When you try to access sites that are not in allowed list, you are redirected to the Login page.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
urlfilter list <urlfilter-name> Example: |
Configures the URL filter profile. |
|
Step 3 |
action [ deny | permit] Example: |
Configures the list as allowed list. The permit command configures the list as allowed list and the deny command configures the list as blocked list. |
|
Step 4 |
{ redirect-server-ipv4 | redirect-server-ipv6} Example: |
Configures the IP address of the redirect servers to which the user requests will be redirected in case of denied requests. |
|
Step 5 |
url url-to-be-allowed Example: |
Configures the URL to be allowed. |
 Note |
redirect-server-ipv4 and redirect-server-ipv6 is applicable only in the local mode, specifically in post-authentication. For any further tracking or displaying any warning messages, the denied user request is redirected to the configured server. But the redirect-server-ipv4 and redirect-server-ipv6 configurations do not apply to pre-authentication scenario as you will be redirected to the controller for the redirect login URL for any denied access. |
Device(config)# wireless profile flex default-flex-profile
Device(config-wireless-flex-profile)# acl-policy user_v4_acl
Device(config-wireless-flex-profile-acl)# urlfilter list url_allowedlist_nbn
Device(config-wireless-flex-profile-acl)# exit
Device(config-wireless-flex-profile)# description "default flex profile“Device(config)# urlfilter enhanced-list urllist_pre_cwa
Device(config-urlfilter-enhanced-params)# url url1.dns.com preference 1 action permit
Device(config-urlfilter-enhanced-params)# url url2.dns.com preference 2 action deny
Device(config-urlfilter-enhanced-params)# url url3.dns.com preference 3 action permitDevice(config)# wlan wlan5 5 wlan5
Device(config-wlan)#ip access-group web user_v4_acl
Device(config-wlan)#no security wpa
Device(config-wlan)#no security wpa
Device(config-wlan)#no security wpa wpa2 ciphers aes
Device(config-wlan)#no security wpa akm dot1x
Device(config-wlan)#security web-auth
Device(config-wlan)#security web-auth authentication-list default
Device(config-wlan)#security web-auth parameter-map global
Device(config-wlan)#no shutdown The controller uses two IP addresses, and the Web Auth Parameter Map only provides pre-authentication access to a single IP address. When an externally hosted portal resolves to multiple IP addresses (such as Cisco Spaces resolving to two IP addresses), or, if additional HTTP resources require pre-authentication access, the URL filter must be used. The URL filter permits traffic to the configured URLs by dynamically adding the resolved IP address into intercept (redirect) and security (pre-auth) ACLs. This is achieved by snooping the DNS requests, thus permitting client access.
In a FlexConnect local switching deployment, an additional step is required to ensure that the URL Filter is applied to the client at the AP.
Configuring the Web Auth Parameter Map automatically creates two ACLs:
a redirect or intercept ACL (WA-v4-int), and
a security ACL (WA-sec-).
The security ACL permits pre-auth access to HTTP/HTTPS, DNS, DHCP, and so on. It is this ACL that should be applied along with the URL filter on the flex profile for DNS snooping to function properly. Without this step, the AP may fail to dynamically snoop DNS requests and add the appropriate IP addresses to the ACLs, resulting in the client being unable to redirect to the portal page when trying to send a request to the secondary IP address.
Associating the allowed URL with the ACL policy in flex profile:
Device(config)# wireless profile flex default-flex-profile
Device(config-wireless-flex-profile)# acl-policy WA-v4-<ip> (security ACL)
Device(config-wireless-flex-profile-acl)# urlfilter list url_allowedlist_nbn
Device(config-wireless-flex-profile-acl)# exit
Device(config-wireless-flex-profile)# description "default flex profile“Verify URLs on the Allowed List.
Device# show wireless urlfilter summary
Black-list - DENY
White-list - PERMIT
Filter-Type - Specific to Local Mode
URL-List ID Filter-Type Action Redirect-ipv4 Redirect-ipv6
-------------------------------------------------------------------------------------------------------------
url-whitelist 1 PRE-AUTH PERMIT 1.1.1.1
Device#
Device# show wireless urlfilter details url-whitelist
List Name................. : url-whitelist
Filter ID............... : : 1
Filter Type............... : PRE-AUTH
Action.................... : PERMIT
Redirect server ipv4...... : 1.1.1.1
Redirect server ipv6...... :
Configured List of URLs
URL.................... : www.cisco.com
Feedback