Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
305
Views
0
Helpful
2
Replies

DNAC Wireless External Webauth

dm2020
Level 1
Level 1

‎06-04-2022 02:21 AM - edited ‎06-04-2022 11:33 AM

Hi All,

 

I'm hitting a frustrating issue that I cannot find a fix/workaround for.

 

I have configured a Guest SSID in DNA Center using External Webauth. DNAC configures all of the main parameters on the WLC correctly (WLAN, Profile Policy, Webauth Parameters etc), however one thing that DNAC doesn't configure correctly is the Preauth ACL which is applied to the WLAN itself. The Preauth ACL is restricting DNS traffic to the DNS servers that are configured in DNAC under our global site (Design -> Network Settings -> Network). Now these DNS servers are internal and not the ones that we plan to use for guest (Google DNS in this case) so they cannot be reached by guest users which causes Extenal Webauth to break. If I change the DNS servers -> Design -> Network Settings -> Network to 8.8.8.8 then the Preauth ACL is configured correctly and External Webauth works, however DNAC then configures the following on the WLC and switches within the network  which breaks connectivity for various services that requires DNS resolution (trustpoint CRL check for example)

 

ip name-server 8.8.8.8

 

I've tried removing the preauth ACL, configuring a template to add an entry to the ACL to permit Google DNS, however after provisioning the WLC, the preauth ACL is reverted back. Is there any workarounds to this?! Its seems a bit short sighted that the DNS servers that you plan to use for the infrastructure (ip name-server x.x.x.x on the WLC and switches etc.) have to be the same DNS servers that you plan to use for Guest wireless. Am I missing something here?

 

Labels:
0 Helpful
2 Replies 2

Preston Chilcote
Cisco Employee
Cisco Employee

‎06-06-2022 02:27 PM - edited ‎06-06-2022 02:27 PM

I don't believe there is a way today to have Cisco DNA use a custom preauth ACL today.  But, I think you can manually configure the preauth ACL that you need as a different name and Cisco DNA won't touch it.

 

Your use case is quite common, so please use the Make a Wish feature in the GUI to put it on the radar of the product managers.

0 Helpful

dm2020
Level 1
Level 1
In response to Preston Chilcote

‎06-06-2022 03:45 PM

Hi @Preston Chilcote 

 

Thanks for the response. I tried creating a new preauth ACL and attaching to the WLAN, however DNAC keeps changing it back to the preauth ACL that it configures.

 

I have been doing some testing and the only way that I can get this to work is by configuring a template to add an entry to the automated preauth ACL to permit DNS to google and then ensuring that the template is always applied when provisioning the WLC. It appears that templates are the last to be applied which results in the preauth ACL to be configured to my needs. 

 

I will add this to the Make a Wish feature as its going to be a common requirement to use different DNS servers for different Guest WLANs that are provisioned on the same WLC

0 Helpful
Customers Also Viewed These Support Documents