DNS-Based Access Control Lists

DNS-based access control lists

A DNS-based access control list is a wireless network security feature that

  • allows administrators to permit or deny wireless client access to resources based on DNS domain names

  • dynamically learns allowed or denied IP addresses through DNS snooping on access points, and

  • enables pre-authentication and post-authentication URL filtering for enhanced client security.

DNS-based ACLs are used for wireless client devices. You can set pre-authentication ACLs on the embedded wireless controller to determine which data requests are allowed or blocked.

To enable DNS-based ACLs on the embedded wireless controller, configure the allowed or denied URLs for the ACLs. The URLs need to be pre-configured on the ACL.

During the registration phase, DNS-based ACLs allow the client to connect to the configured URLs. The embedded wireless controller is configured with the ACL name provided by the AAA server. If the AAA server returns the ACL name, the controller applies the ACL to the client for web redirection.

During client authentication, the AAA server returns the pre-authentication ACL (url-redirect-acl), which is the attribute name assigned to the ACL by the AAA server. The AP performs DNS snooping for each client until registration is complete and the client reaches the SUPPLICANT PROVISIONING state. When the embedded wireless controller receives the ACL configured with URLs, it sends a CAPWAP payload to the access point to enable DNS snooping for those URLs.

When URL snooping is enabled, the access point learns the IP address of the resolved domain name from the DNS response. If the domain name matches a configured URL, the access point parses the DNS response for the IP address. The AP adds the IP address to the allowed list, which allows the client to access the configured URLs.

During pre-authentication or post-authentication, the DNS ACL is applied to the client in the AP. If the client roams from one AP to another AP, tthe DNS-learned IP addresses from the previous access point remain valid on the new AP.

This feature supports:

  • A maximum of 32 URL lists.

  • A maximum of 32 URLs per URL list.

  • Up to 30 IP addresses per URL.

  • A maximum of 16 URL lists with wild cards.

  • A maximum of 10 URLs per wild-card URL.


Note
When configuring wild card based URLs, generic wild-card URLs are not allowed. Wild cards cannot be present within the domain name, and multiple wild cards are not allowed in a single URL. Wild card specification in a URL is only allowed at the third-degree level or higher.

Note

Conflicting or invalid configurations are not allowed. The same URL cannot have different actions. For example, Deny and Allow cannot be configured on www.yahoo.com .


Note

Attach the URL filter to a policy profile for local mode. In FlexConnect mode, attach the URL filter to the flex profile; attaching it to a policy profile is not required.


Note

DNS-based URLs require an active DNS query from the client. For URL filtering to work, configure DNS settings correctly.

Note

The URL filter takes precedence over punt or redirect ACLs, as well as custom or static pre-authentication ACLs.

FlexConnect in Embedded Wireless Controller

FlexConnect is a wireless solution for branch office and remote office deployments. It enables customers to configure and control access points in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a embedded wireless controller in each branch office.

The FlexConnect access points can switch client data traffic locally while carrying the authentication centrally. Also, FlexConnect APs perform client authentication locally when their connection to the controller is lost. When they are connected back to the controller, they can also send authentication/policy details back to the embedded wireless controller.

The embedded wireless controller network comprises of at least one 802.11ax Wave 2 Cisco Aironet Series access point (AP) with a software-based embedded wireless controller managing other APs in the network. The AP acting as the embedded wireless controller is referred to as the primary AP while the other APs in the network, which are managed by this primary AP, are referred to as subordinate APs. In addition to acting as an embedded wireless controller, the primary AP also operates as an AP to serve clients along with the subordinate APs.

Pre-Auth DNS ACL feature is also known as Walled Garden feature. The walled garden is a list of web sites or domains that you can visit without being authenticated. DNS snooping is performed on the AP for each client and configured rule is applied to client traffic after matching the Source or Destination IP.

Roaming

During Roaming, the support clients roam from one AP to the other using the existing roaming support. DNS ACLs are retained at the target AP even after roaming. For Roaming with DNS Pre-Auth ACL and Post-Auth ACL, the target AP learns the client-resolved IP from the serving AP.

Restrictions on DNS-based access control lists

Restrictions for DNS-based ACLs

  • ACLs are only supported for FlexConnect local switching APs with Central Authorization. Post-authentication DNS-based ACLs are not supported for FlexConnect with local Authorization when the AP operates in FlexConnect local switching mode.

  • Fully qualified domain name (FQDN) ACLs and DNS-based ACLs are not supported on Cisco Wave 1 Access Points.

  • The URL filter considers only the first 20 URLs, though you can add more. It uses regular regex patterns and permits wildcard characters only at the beginning or at the end of an URL. URL ACLs are defined and added to the FlexConnect policy profile, which is then associated with a WLAN. URL ACL creation follows a mechanism similar to local mode URL ACLs.

  • In FlexConnect mode, the URL domain ACL works only when it is connected to a FlexConnect policy profile. The ACL can be attached to a WLAN by associating the policy profile with either the WLAN or local policies. However, you can override it using 'url-redirect-acl'. When the Cisco AV pair is received from ISE, the required policy for a client is pushed as part of the ADD MOBILE message.

  • When an AP joins or when an existing URL ACL is modified and applied to a FlexConnect profile, the ACL definition, along with the mapped URL filter list, is pushed to the AP. The AP stores the URL ACL definition with the mapped ACL name and snoops DNS packets to learn the first IP address for each URL in the ACL. When the AP learns the IP addresses, it updates the controller of the URL and IP bindings. The controller records this information in the client database for future use.

  • When a client roams to another AP during the pre-authentication state, the learned IP addresses are pushed to a new AP. Otherwise, these learned IP addresses are purged when a client enters the post-authentication state or when the TTL for the learned IP address expires.

Flex Mode

Configuring the URL Filter List (CLI)

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wireless profile flex custom-flex-profile

Example:

Device(config)# wireless profile flex custom-flex-profile

Configures a wireless flex profile and enters wireless flex profile configuration mode.

Step 3

acl-policy acl-policy-name

Example:

Device(config-wireless-flex-profile)#acl-policy acl-policy-name

Configures the ACL policy description

Step 4

urlfilter list url-filterlist-name

Example:

Device(config-wireless-flex-profile-acl)# urlfilter list url-filterlist-name

Configures and applies the name of the URL filter list to the flex profile.

This is the Flex URL filter configuration command for ACL binding.

Configuring the URL Filter List (GUI)

Procedure

Step 1

Choose Configuration > Security > URL Filters.

The URL Filters page is displayed.

Step 2

Click the Add button.

The Add URL Filters window is displayed.

Step 3

From the Type drop-down list, choose either PRE-AUTH or POST-AUTH.

  1. POST-AUTH: Specify the Redirect Servers for IPv4 and IPv6.

Step 4

Use the slider to Permit or Deny the Action.

Step 5

Specify the URLs in the URLs field. Enter every URL on a new line.

Step 6

Click Apply to Device.

Applying Custom Pre-Auth DNS ACL on WLAN

For pre-auth, this configuration should be on a web-auth WLAN.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlanwlan-name wlan-id ssid-name

Example:

Device(config)# wlan wlan-name wlan-id ssid-name

Enters the WLAN configuration sub-mode.

1. wlan-name — Enter the profile name. The range is from 1 to 32 alphanumeric characters.

2. wlan-id—Enter the WLANID. The range is from 1 to 512.

3. SSID-name—Enter the Service Set Identifier (SSID) for this WLAN. If the SSID is not specified, the WLAN profile name is set as the SSID. If you have already configured WLAN, enter wlan wlan-name command.

Step 3

ip access-group web access-list-name

Example:

Device(config-wlan)#ip access-group web preauth-acl-wlan

Maps the ACL to the web auth WLAN. access-list-name is the IPv4 ACL name or ID.

Applying Custom Post-Auth DNS ACL on Policy Profile

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

Wireless profile policy profile-name

Example:

Device(config)# wireless profile policy custom-policy-profile
Creates policy profile for the WLAN.

Step 3

{ ipv4 | ipv6} acl post-acl-name

Example:

Device(config-wireless-policy)#ipv4 acl post-acl

Creates ACL configuration for wireless IPv4 or IPv6 configuration.

Configure ISE for central web authentication (GUI)

Perform these steps to configure ISE for Central Web Authentication using the GUI.

Procedure

Step 1

Login to the Cisco Identity Services Engine (ISE). Click Policy and then click Policy Elements. Click Results.

Step 2

Expand Authorization and click Authorization Profiles.

Step 3

Click Add to create a new authorization profile for URL filter.

Step 4

Enter a name for the profile in the Name field. For example, CentralWebauth.

Step 5

Select ACCESS_ACCEPT option from the Access Type drop-down list. Alternatively, in the Common Tasks section, check Web Redirection.

Step 6

Select the Centralized Web Auth option from the drop-down list. Specify the ACL and select the ACL value from the drop-down list.

Step 7

In the Advanced Attributes Setting section, select Cisco:cisco-av-pair from the drop-down list.

Note

 

Multiple ACL can be applied on the controller based on priority. In L2 Auth + webauth multi-auth scenario, if the ISE returns ACL during L2 Auth then ISE ACL takes precedence over the default webauth redirect ACL. This leads to traffic running in webauth pending state, if ISE ACL has permit rule. To avoid this scenario, you need to set the precedence for L2 Auth ISE returned ACL. The default webauth redirect ACL priority is 100. To avoid traffic issue, you need to configure the redirect ACL priority above 100 for ACL returned by ISE.

Step 8

Enter these one by one and click (+) icon after each of them:

  • url-redirect-acl=<sample_name>

  • url-redirect=<sample_redirect_URL>

    For example, 
    Cisco:cisco-av-pair = priv-lvl=15
Cisco:cisco-av-pair = url-redirect-acl=ACL-REDIRECT2
Cisco:cisco-av-pair = url-redirect=
https://9.10.8.247:port/portal/gateway?
sessionId=SessionIdValue&portal=0ce17ad0-6d90-11e5-978e-005056bf2f0a&daysToExpiry=value&action=cwa

Step 9

Verify contents in the Attributes Details section and click Save.

Viewing DNS-Based Access Control Lists

Verifying the Access Point

To view the URL Lists, use the following command:

Device #show wireless urlacl-enhanced summary
URL-List
--------------------------------
urllist_ut
urllist_max1
urllist_max2
urllist_max3
urllist_max4
urllist_max5

To view the details of a particular URL List, use the following command:

Device#show wireless urlacl-enhanced details urllist_ut
List Name................. : urllist_ut
Configured List of URLs
URL                  Preference Action Validity Invalidated URL
-----------------------------------------------------------------------------
url1.dns.com         1                 PERMIT         VALID 0 
url2.dns.com         2                 DENY           VALID 0
url3.dns.com         3                 PERMIT         VALID 0 
url4.dns.com         4                 DENY           VALID 0 
url11.dns.com        6                 DENY           VALID 0 
url12.dns.com        7                 PERMIT         VALID 0 
url13.dns.com        8                 DENY           VALID 0 
www.example.com      14                PERMIT         VALID 0

To view the flex profile details, use the following command:

Device# sh wireless profile flex detailed custom-flex-profile
Flex Profile Name : custom-flex-profile 
Description : custom flex profile 
Local Auth :
        AP: 
                Radius Enable            : ENABLED 
                PEAP                     : DISABLED 
                LEAP                     : DISABLED 
                TLS                      : DISABLED 
                EAP fast profile         : Not Configured 
                User List                : Not Configured
        RADIUS: 
                RADIUS server group name : Not Configured
        Fallback Radio shut              : DISABLED 
        ARP caching                      : ENABLED 
        Efficient Image Upgrade          : ENABLED 
        OfficeExtend AP                  : DISABLED 
        Join min latency                 : DISABLED
        Policy ACL :
                ACL Name                         URL Filter List
        Name                 Central Webauth
        ---------------------------------------------------------------
        post-acl                urllist_ut        DISABLED
        pre_v4              urllist_pre_cwa   DISABLED
        ACL-REDIRECTTTTTTT2     urllist_ut        DISABLED
        VLAN Name - VLAN ID mapping       : Not Configured

To view client details, use the following command:

Device#sh wireless client mac-address <Mac-address> detail

To view the ACL configuration on the AP, use the following command:

Device# show ip access-lists
Extended IP access list pre_v4 
        1 permit udp any range 0 65535 any eq 53 
        2 permit tcp any range 0 65535 any eq 53 
        3 permit udp any dhcp_server any range 0 65535 
        4 permit udp any range 0 65535 any eq 68 
        5 permit udp any dhcp_client any range 0 65535 
        6 deny ip any any

To view the URL List configuration, use the following command:

Device#show flexconnect url-acl
ACL-NAME         ACTION         URL-LIST
pre_v4        
                 allow          test.dns.com
                 allow          url2.dns.com 
                 allow          url3.dns.com 
                 allow          url10.dns.com 
                 allow          url11.dns.com 
                 allow          www.cwapre.com 
                 allow          www.google.com 
                 allow          oldconfig.dns.com 
                 allow          *.cisco.com

To view pre-auth client configuration, use the following command:

Device# show client access-lists pre-auth all C0:C1:C0:70:58:2F
Pre-Auth URL ACLs for Client: C0:C1:C0:70:58:2F
IPv4 ACL: pre_v4
IPv6 ACL:
ACTION         URL-LIST
allow          url1.dns.com 
deny           url2.dns.com 
allow          url3.dns.com 
deny           url4.dns.com 
allow          www.example.com 
deny           url11.dns.com 
allow          url12.dns.com 
deny           url13.dns.com

Resolved IPs for Client: C0:C1:C0:70:58:2F
HIT-COUNT         URL         ACTION         IP-LIST
post-acl 
        rule 0:   allow true 
No IPv6 ACL found

To view post-auth client configuration, use the following command:

Device# show client access-lists post-auth all C0:C1:C0:70:58:2F
Post-Auth URL ACLs for Client: C0:C1:C0:70:58:2F 
IPv4 ACL: post-acl
IPv6 ACL:
ACTION         URL-LIST
allow          url1.dns.com 
deny           url2.dns.com 
allow          url3.dns.com 
deny           url4.dns.com 
allow          www.example.com 
deny           url11.dns.com 
allow          url12.dns.com 
deny           url13.dns.com

Resolved IPs for Client: C0:C1:C0:70:58:2F
HIT-COUNT         URL         ACTION         IP-LIST
post-acl 
        rule 0: allow true 
No IPv6 ACL found

To view the IPs learnt in pre-auth, use the following command:

Device#show client access-lists pre-auth all 60:14:B3:AA:C6:FB
Pre-Auth URL ACLs for Client: 60:14:B3:AA:C6:FB 
IPv4 ACL: acl_1
IPv6 ACL:
ACTION         URL-LIST 
allow          url1.dns.com 
deny           url2.dns.com

Resolved IPs for Client: 60:14:B3:AA:C5:FB
HIT-COUNT         URL                 ACTION         IP-LIST
10                url1.dns.com        allow          9.10.8.1

To view the IPs learnt in post-auth, use the following command:

Device#show client access-lists post-auth all 60:14:B3:AA:C6:FB
Post-Auth URL ACLs for Client: 60:14:B3:AA:C5:FB 
IPv4 ACL: post_acl
IPv6 ACL:
ACTION         URL-LIST
deny           url1.dns.com 
allow          url2.dns.com

Resolved IPs for Client: 60:14:B3:AA:C5:FB
HIT-COUNT         URL                 ACTION         IP-LIST
16                url2.dns.com        allow          9.10.9.1
postauth_acl 
          rule 0: allow true