https://community.cisco.com/t5/wireless/dns-based-acl-cwa-and-guest-anchor-controller/m-p/2490342#M26935 <P>Hi all</P><P>I am currently trying to use DNS Based ACL in our WLC test setup, but I am having some trouple.</P><P>When i try it out on our Guest Anchor setup with CWA and ISE it does not work.</P><P>Is there a limitation to DNS based ACLs I have missed here ?</P><P>Any good debug commands are also apreciated <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Just a quick explanation of the setup.</P><P>One Guest Anchor controller with the guest WLAN attached, and a normal IP ACL that permits access to the ISE CWA page.</P><P>On the same ACL on the Anchor WLC I have added some URLs to permit access to fx. facebook.</P><P>&nbsp;</P><P>The WLAN and ACL are excatly the same on the Non-Guest-anchor controller.</P><P>&nbsp;</P><P>When i connect a client to a AP connected to the Non-guest-anchor controller, I get an IP in the right VLAN on the Anchor controller, and I am able to access the CWA page on ISE. - I can also see on both controllers, that the client has been applyed with the dns based acl by CWA / ISE.</P><P>But when i try to access Facebook I get a ssl error page.</P><P>If i connect the client to a AP connected to the Guest-anchor controller everything works.</P><P>I get the CWA page and am able to access Facebook.</P><P>&nbsp;</P><P>/Thomas</P><P>&nbsp;</P><P>PS:</P><P>Maybe im hitting a variant of bugID:&nbsp;<SPAN style="color: rgb(52, 52, 52); font-family: arial; font-size: 11px; line-height: 15.999600410461426px;">CSCul20184</SPAN></P> Mon, 05 Jul 2021 07:29:46 GMT Thomas Obbekaer Thomsen 2021-07-05T07:29:46Z https://community.cisco.com/t5/wireless/dns-based-acl-cwa-and-guest-anchor-controller/m-p/2490342#M26935 <P>Hi all</P><P>I am currently trying to use DNS Based ACL in our WLC test setup, but I am having some trouple.</P><P>When i try it out on our Guest Anchor setup with CWA and ISE it does not work.</P><P>Is there a limitation to DNS based ACLs I have missed here ?</P><P>Any good debug commands are also apreciated <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Just a quick explanation of the setup.</P><P>One Guest Anchor controller with the guest WLAN attached, and a normal IP ACL that permits access to the ISE CWA page.</P><P>On the same ACL on the Anchor WLC I have added some URLs to permit access to fx. facebook.</P><P>&nbsp;</P><P>The WLAN and ACL are excatly the same on the Non-Guest-anchor controller.</P><P>&nbsp;</P><P>When i connect a client to a AP connected to the Non-guest-anchor controller, I get an IP in the right VLAN on the Anchor controller, and I am able to access the CWA page on ISE. - I can also see on both controllers, that the client has been applyed with the dns based acl by CWA / ISE.</P><P>But when i try to access Facebook I get a ssl error page.</P><P>If i connect the client to a AP connected to the Guest-anchor controller everything works.</P><P>I get the CWA page and am able to access Facebook.</P><P>&nbsp;</P><P>/Thomas</P><P>&nbsp;</P><P>PS:</P><P>Maybe im hitting a variant of bugID:&nbsp;<SPAN style="color: rgb(52, 52, 52); font-family: arial; font-size: 11px; line-height: 15.999600410461426px;">CSCul20184</SPAN></P> Mon, 05 Jul 2021 07:29:46 GMT https://community.cisco.com/t5/wireless/dns-based-acl-cwa-and-guest-anchor-controller/m-p/2490342#M26935 Thomas Obbekaer Thomsen 2021-07-05T07:29:46Z