DNS-Based Access Control Lists

Information About DNS-Based Access Control Lists

The DNS-based ACLs are used for wireless client devices. When using these devices, you can set pre-authentication ACLs on the embedded wireless controller to determine the data requests that are allowed or blocked.

To enable DNS-based ACLs on the embedded wireless controller, you need to configure the allowed URLs or denied URLs for the ACLs. The URLs need to be pre-configured on the ACL.

With DNS-based ACLs, the client when in registration phase is allowed to connect to the configured URLs. The embedded wireless controller is configured with the ACL name that is returned by the AAA server. If the ACL name is returned by the AAA server, then the ACL is applied to the client for web-redirection.

At the client authentication phase, the AAA server returns the pre-authentication ACL (url-redirect-acl, which is the attribute name given to the AAA server). The DNS snooping is performed on the AP for each client until the registration is complete and the client is in SUPPLICANT PROVISIONING state. When the ACL configured with the URLs is received on the embedded wireless controller, the CAPWAP payload is sent to the AP enabling DNS snooping for the URLs to be snooped.

With URL snooping in place, the AP learns the IP address of the resolved domain name in the DNS response. If the domain name matches the configured URL, then the DNS response is parsed for the IP address. The AP adds the IP address to the allowed list of IP addresses and thus the client can access the URLs configured.

During pre-authentication or post-authentication, DNS ACL is applied to the client in the access point. If the client roams from one AP to another AP, the DNS learned IP addresses on the old AP is valid on the new AP as well.

This feature supports:

  • A maximum of 32 URL lists.

  • A maximum of 32 URLs per URL list.

  • Up to 30 IP addresses per URL.

  • A maximum of 16 URL lists with wild-cards.

  • A maximum of 10 URLs per wild-card URL.


Note


When configuring wild-card based URLs, generic wild-card URLs are not allowed; wild-cards cannot be present between the domain name; multiple wild-cards are not allowed in a URL. Wild-card specification in a URL can only be at a third-degree level or a higher level.

Note


Conflicting or invalid configurations are not allowed. The same URL cannot have different actions. For example, Deny and Allow cannot be configured on www.yahoo.com.



Note


URL filter needs to be attached to a policy profile in case of the local mode. In the flex mode, the URL filter is attached to the flex profile and it is not need to be attached to a policy profile.



Note


DNS based URLs work with active DNS query from the client. Hence, for URL filtering, the DNS should be setup correctly.



Note


URL filter takes precedence over punt or redirect ACL, and over custom or static pre-auth ACL.s


FlexConnect in Embedded Wireless Controller

FlexConnect is a wireless solution for branch office and remote office deployments. It enables customers to configure and control access points in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a embedded wireless controller in each branch office.

The FlexConnect access points can switch client data traffic locally while carrying the authentication centrally. Also, FlexConnect APs perform client authentication locally when their connection to the controller is lost. When they are connected back to the controller, they can also send authentication/policy details back to the embedded wireless controller.

The embedded wireless controller network comprises of at least one 802.11ax Wave 2 Cisco Aironet Series access point (AP) with a software-based embedded wireless controller managing other APs in the network. The AP acting as the embedded wireless controller is referred to as the primary AP while the other APs in the network, which are managed by this primary AP, are referred to as subordinate APs. In addition to acting as an embedded wireless controller, the primary AP also operates as an AP to serve clients along with the subordinate APs.

Pre-Auth DNS ACL feature is also known as Walled Garden feature. The walled garden is a list of web sites or domains that you can visit without being authenticated. DNS snooping is performed on the AP for each client and configured rule is applied to client traffic after matching the Source or Destination IP.

Roaming

During Roaming, the support clients roam from one AP to the other using the existing roaming support. DNS ACLs are retained at the target AP even after roaming. For Roaming with DNS Pre-Auth ACL and Post-Auth ACL, the target AP learns the client-resolved IP from the serving AP.

Restrictions on DNS-Based Access Control Lists

The restriction for DNS-based ACLs is as follows:

  • Only supported for FlexConnect local switching APs with Central Authorization.

  • Post-Auth DNS based ACL is not supported for FlexConnect with local Authorization when AP is in FlexConnect local switching mode.

  • Fully qualified domain name (FQDN) or DNS based ACLs are not supported on Cisco Wave 1 Access Points.

  • The URL filter considers only the first 20 URLs, though you can add more.

  • The URL filter employs regular regex patterns and permits wildcard characters only at the beginning or at the end of an URL.

  • The URL ACLs are defined and added to the FlexConnect policy profile in which they associate with a WLAN. The URL ACL creation follows a similar mechanism as that of local mode URL ACLs.

  • In FlexConnect mode, the URL domain ACL works only if they are connected to a FlexConnect policy profile.

  • The ACL can be attached to a WLAN by associating a policy profile with a WLAN or local policies. However, you can override it using "url-redirect-acl".

  • For the Cisco AV pair received from ISE, the policy that needs to be applied for a particular client is pushed as part of ADD MOBILE

    message.

  • When an AP joins or when an existing URL ACL is modified and applied on FlexConnect profile, the ACL definition along with mapped URL filter list is pushed to the AP.

  • The AP stores the URL ACL definition with mapped ACL name and snoops the DNS packets for learning the first IP address for each URL in the ACL. When the AP learns the IP addresses, it updates the controller of the URL and IP bindings. The controller records this information in the client database for future use.

  • When a client roams to another AP during the pre-authentication state, the learned IP addresses are pushed to a new AP. Otherwise, these learned IP addresses are purged when a client moves to a post-authentication state or when the TTL for the learned IP address expires.

Flex Mode

Configuring the URL Filter List (CLI)

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wireless profile flex custom-flex-profile

Example:

Device(config)# wireless profile flex custom-flex-profile

Configures a wireless flex profile and enters wireless flex profile configuration mode.

Step 3

acl-policy acl-policy-name

Example:

Device(config-wireless-flex-profile)#acl-policy acl-policy-name

Configures the ACL policy description

Step 4

urlfilter list url-filterlist-name

Example:

Device(config-wireless-flex-profile-acl)# urlfilter list url-filterlist-name

Configures and applies the name of the URL filter list to the flex profile.

This is the Flex URL filter configuration command for ACL binding.

Configuring the URL Filter List (GUI)

Procedure


Step 1

Choose Configuration > Security > URL Filters.

The URL Filters page is displayed.

Step 2

Click the Add button.

The Add URL Filters window is displayed.

Step 3

From the Type drop-down list, choose either PRE-AUTH or POST-AUTH.

  1. POST-AUTH: Specify the Redirect Servers for IPv4 and IPv6.

Step 4

Use the slider to Permit or Deny the Action.

Step 5

Specify the URLs in the URLs field. Enter every URL on a new line.

Step 6

Click Apply to Device.


Applying Custom Pre-Auth DNS ACL on WLAN

For pre-auth, this configuration should be on a web-auth WLAN.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlanwlan-name wlan-id ssid-name

Example:

Device(config)# wlan wlan-name wlan-id ssid-name

Enters the WLAN configuration sub-mode.

1. wlan-name — Enter the profile name. The range is from 1 to 32 alphanumeric characters.

2. wlan-id—Enter the WLANID. The range is from 1 to 512.

3. SSID-name—Enter the Service Set Identifier (SSID) for this WLAN. If the SSID is not specified, the WLAN profile name is set as the SSID. If you have already configured WLAN, enter wlan wlan-name command.

Step 3

ip access-group web access-list-name

Example:

Device(config-wlan)#ip access-group web preauth-acl-wlan

Maps the ACL to the web auth WLAN. access-list-name is the IPv4 ACL name or ID.

Applying Custom Post-Auth DNS ACL on Policy Profile

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

Wireless profile policy profile-name

Example:

Device(config)# wireless profile policy custom-policy-profile
Creates policy profile for the WLAN.

Step 3

{ ipv4 | ipv6} acl post-acl-name

Example:

Device(config-wireless-policy)#ipv4 acl post-acl

Creates ACL configuration for wireless IPv4 or IPv6 configuration.

Configuring ISE for Central Web Authentication (GUI)

Perform the following steps to configure ISE for Central Web Authentication.

Procedure


Step 1

Login to the Cisco Identity Services Engine (ISE).

Step 2

Click Policy and then click Policy Elements.

Step 3

Click Results.

Step 4

Expand Authorization and click Authorization Profiles.

Step 5

Click Add to create a new authorization profile for URL filter.

Step 6

Enter a name for the profile in the Name field. For example, CentralWebauth.

Step 7

Choose ACCESS_ACCEPT option from the Access Type drop-down list.

Step 8

Alternatively, in the Common Tasks section, check Web Redirection..

Step 9

Choose the Centralized Web Auth option from the drop-down list.

Step 10

Specify the ACL and choose the ACL value from the drop-down list.

Step 11

In the Advanced Attributes Setting section, choose Cisco:cisco-av-pair from the drop-down list.

Note

 

Multiple ACL can be applied on the controller based on priority. In L2 Auth + webauth multi-auth scenario, if the ISE returns ACL during L2 Auth then ISE ACL takes precedence over the default webauth redirect ACL. This leads to traffic running in webauth pending state, if ISE ACL has permit rule. To avoid this scenario, you need to set the precedence for L2 Auth ISE returned ACL. The default webauth redirect ACL priority is 100. To avoid traffic issue, you need to configure the redirect ACL priority above 100 for ACL returned by ISE.

Step 12

Enter the following one by one and click (+) icon after each of them:

  • url-redirect-acl=<sample_name>

  • url-redirect=<sample_redirect_URL>

    For example,
    Cisco:cisco-av-pair = priv-lvl=15
    Cisco:cisco-av-pair = url-redirect-acl=ACL-REDIRECT2
    Cisco:cisco-av-pair = url-redirect=
    https://9.10.8.247:port/portal/gateway?
    sessionId=SessionIdValue&portal=0ce17ad0-6d90-11e5-978e-005056bf2f0a&daysToExpiry=value&action=cwa

Step 13

Verify contents in the Attributes Details section and click Save.


Viewing DNS-Based Access Control Lists

Verifying the Access Point

To view the URL Lists, use the following command:

Device #show wireless urlacl-enhanced summary
URL-List
--------------------------------
urllist_ut
urllist_max1
urllist_max2
urllist_max3
urllist_max4
urllist_max5

To view the details of a particular URL List, use the following command:

Device#show wireless urlacl-enhanced details urllist_ut
List Name................. : urllist_ut
Configured List of URLs
URL                  Preference Action Validity Invalidated URL
-----------------------------------------------------------------------------
url1.dns.com         1                 PERMIT         VALID 0 
url2.dns.com         2                 DENY           VALID 0
url3.dns.com         3                 PERMIT         VALID 0 
url4.dns.com         4                 DENY           VALID 0 
url11.dns.com        6                 DENY           VALID 0 
url12.dns.com        7                 PERMIT         VALID 0 
url13.dns.com        8                 DENY           VALID 0 
www.example.com      14                PERMIT         VALID 0

To view the flex profile details, use the following command:

Device# sh wireless profile flex detailed custom-flex-profile
Flex Profile Name : custom-flex-profile 
Description : custom flex profile 
Local Auth :
        AP: 
                Radius Enable            : ENABLED 
                PEAP                     : DISABLED 
                LEAP                     : DISABLED 
                TLS                      : DISABLED 
                EAP fast profile         : Not Configured 
                User List                : Not Configured
        RADIUS: 
                RADIUS server group name : Not Configured
        Fallback Radio shut              : DISABLED 
        ARP caching                      : ENABLED 
        Efficient Image Upgrade          : ENABLED 
        OfficeExtend AP                  : DISABLED 
        Join min latency                 : DISABLED
        Policy ACL :
                ACL Name                         URL Filter List
        Name                 Central Webauth
        ---------------------------------------------------------------
        post-acl                urllist_ut        DISABLED
        pre_v4              urllist_pre_cwa   DISABLED
        ACL-REDIRECTTTTTTT2     urllist_ut        DISABLED
        VLAN Name - VLAN ID mapping       : Not Configured        

To view client details, use the following command:

Device#sh wireless client mac-address <Mac-address> detail

To view the ACL configuration on the AP, use the following command:

Device# show ip access-lists
Extended IP access list pre_v4 
        1 permit udp any range 0 65535 any eq 53 
        2 permit tcp any range 0 65535 any eq 53 
        3 permit udp any dhcp_server any range 0 65535 
        4 permit udp any range 0 65535 any eq 68 
        5 permit udp any dhcp_client any range 0 65535 
        6 deny ip any any

To view the URL List configuration, use the following command:

Device#show flexconnect url-acl
ACL-NAME         ACTION         URL-LIST
pre_v4        
                 allow          test.dns.com
                 allow          url2.dns.com 
                 allow          url3.dns.com 
                 allow          url10.dns.com 
                 allow          url11.dns.com 
                 allow          www.cwapre.com 
                 allow          www.google.com 
                 allow          oldconfig.dns.com 
                 allow          *.cisco.com

To view pre-auth client configuration, use the following command:

Device# show client access-lists pre-auth all C0:C1:C0:70:58:2F
Pre-Auth URL ACLs for Client: C0:C1:C0:70:58:2F
IPv4 ACL: pre_v4
IPv6 ACL:
ACTION         URL-LIST
allow          url1.dns.com 
deny           url2.dns.com 
allow          url3.dns.com 
deny           url4.dns.com 
allow          www.example.com 
deny           url11.dns.com 
allow          url12.dns.com 
deny           url13.dns.com

Resolved IPs for Client: C0:C1:C0:70:58:2F
HIT-COUNT         URL         ACTION         IP-LIST
post-acl 
        rule 0:   allow true 
No IPv6 ACL found

To view post-auth client configuration, use the following command:

Device# show client access-lists post-auth all C0:C1:C0:70:58:2F
Post-Auth URL ACLs for Client: C0:C1:C0:70:58:2F 
IPv4 ACL: post-acl
IPv6 ACL:
ACTION         URL-LIST
allow          url1.dns.com 
deny           url2.dns.com 
allow          url3.dns.com 
deny           url4.dns.com 
allow          www.example.com 
deny           url11.dns.com 
allow          url12.dns.com 
deny           url13.dns.com

Resolved IPs for Client: C0:C1:C0:70:58:2F
HIT-COUNT         URL         ACTION         IP-LIST
post-acl 
        rule 0: allow true 
No IPv6 ACL found

To view the IPs learnt in pre-auth, use the following command:

Device#show client access-lists pre-auth all 60:14:B3:AA:C6:FB
Pre-Auth URL ACLs for Client: 60:14:B3:AA:C6:FB 
IPv4 ACL: acl_1
IPv6 ACL:
ACTION         URL-LIST 
allow          url1.dns.com 
deny           url2.dns.com

Resolved IPs for Client: 60:14:B3:AA:C5:FB
HIT-COUNT         URL                 ACTION         IP-LIST
10                url1.dns.com        allow          9.10.8.1

To view the IPs learnt in post-auth, use the following command:

Device#show client access-lists post-auth all 60:14:B3:AA:C6:FB
Post-Auth URL ACLs for Client: 60:14:B3:AA:C5:FB 
IPv4 ACL: post_acl
IPv6 ACL:
ACTION         URL-LIST
deny           url1.dns.com 
allow          url2.dns.com

Resolved IPs for Client: 60:14:B3:AA:C5:FB
HIT-COUNT         URL                 ACTION         IP-LIST
16                url2.dns.com        allow          9.10.9.1
postauth_acl 
          rule 0: allow true