topic Re: Restrict DNS traffic during web redirection pre-auth phase in Network Access Control

Restrict DNS traffic during web redirection pre-auth phase

umahar — Fri, 12 Oct 2018 21:01:08 GMT

Hi,

Its my understanding that the redirection URL only dictates what URL traffic has to be exempted.

It will not restrict DNS traffic to certain IPs (only internal and external DNS).

Is my understanding correct for WLC as well ?

What are various ways we can restrict DNS traffic on WLC during pre-auth phase for guest since WLC does not support DACL

Re: Restrict DNS traffic during web redirection pre-auth phase

Jason Kunst — Fri, 12 Oct 2018 21:18:00 GMT

Are you asking how to restrict what sites someone can get to? With the WLC did you look into the DNS based ACLs?
https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_0110101.html#concept_AEEDD6D25578413784092B48A4636163

This is shown in the ISE how to byod guide as an example
https://community.cisco.com/t5/security-documents/cisco-ise-byod-deployment-guide/ta-p/3641867

Re: Restrict DNS traffic during web redirection pre-auth phase

umahar — Mon, 15 Oct 2018 15:08:50 GMT

Thanks Jason.

I just had one clarification and I think the below link talks about it.

https://community.cisco.com/t5/wireless-mobility-documents/central-web-authentication-cwa-for-guests-with-ise/ta-p/3121101

"This ACL will be referenced in the access-accept of the ISE and will define what traffic should be redirected (denied by ACL), and what traffic shouldn't (permitted by the ACL"

The above statement does not mention that the ACL will also act as a pre-auth ACL.

I guess the customer was expecting the ACL to also block traffic and this was brought up in their pen testing.

They had only their internal DNS server permitted in the ACL and the pen tester was able to query public DNS server.

Re: Restrict DNS traffic during web redirection pre-auth phase

paul — Mon, 15 Oct 2018 15:26:12 GMT

The ACL will block if written correctly. If you write the ACL as:

permit DNS to desired DNS servers

permit traffic to ISE PSNs

deny all other traffic

Nothing else should get through. Is that not what you are seeing? Can you send a screen shot of your redirect ACL?

Re: Restrict DNS traffic during web redirection pre-auth phase

umahar — Mon, 15 Oct 2018 15:47:47 GMT

Attached is the screenshot.

I have redacted IPs to and from their DNS server.

They are able to perform nslookup against 8.8.8.8.

Re: Restrict DNS traffic during web redirection pre-auth phase

howon — Mon, 15 Oct 2018 15:45:04 GMT

In addition to explicitly allowing your DNS servers, you also need another ACL near the bottom to deny any other DNS traffic.

Re: Restrict DNS traffic during web redirection pre-auth phase

paul — Mon, 15 Oct 2018 15:50:27 GMT

There should be an implicit deny all at the end, but maybe the WLCs don't do that for redirect ACLs. I always put a deny all at the end of the redirect ACL.

Umahar, also you can clean up that ACL a bit. You don't need to put both directions in the ACL if you make your first line:

permit any any direction outbound

We don't care about the outbound direction (network->client). We only care about inbound. I always cringe when I see both directions in the ACL. Makes it a bit tougher to read and doubles your chance to make a typo.

Re: Restrict DNS traffic during web redirection pre-auth phase

paul — Mon, 15 Oct 2018 15:55:41 GMT

Just to give you an example here is my standard redirect ACL with subnet erased.

Re: Restrict DNS traffic during web redirection pre-auth phase

howon — Mon, 15 Oct 2018 16:45:12 GMT

When endpoint is in WebAuth state the pre-auth ACL allows DNS traffic even with implicit deny. So you need to specify deny statement at the end to deny DNS to other untrusted DNS servers. Either deny any or deny DNS works.

Re: Restrict DNS traffic during web redirection pre-auth phase

umahar — Mon, 15 Oct 2018 16:55:37 GMT

Thanks Hosuk and Paul.

Just tried in my lab and I was able to block adding a Deny.

The only reason I went thinking into this direction because the Wireless expert mentioned earlier that no implicit deny is required and I ruled that out.