cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

426
Views
0
Helpful
1
Replies
robertbrink1
Beginner

FQDN ACL on 3650/3850 with centralized webauth

Hi.

I'm trying to understand and use the fqdn acl on the IOS-XE platform. Has anyone tried this?

What Im trying to achieve is allowing android clients to download the native supplicant software from Google Play store without having a ACL with alot of IP addresses. The documentation of fqdn acl is very slim and not so much help. 

Desired result: Clients are allowed to go to play.google.com and android.clients.google.com, but everything else has to be redirected to ISE. 

 

ip access-list extended NSP
 deny   udp any eq bootps any
 deny   udp any any eq bootpc
 deny   udp any eq bootpc any
 deny   udp any any eq domain
 deny   tcp any any eq domain
 deny   icmp any any
 deny   ip any host A.B.C.D
 permit ip any any
 exit
 !
passthru-domain-list NSP
match play.google.com
match android.clients.google.com
exit
!
access-session passthru-access-group NSP passthru-domain-list NSP

 

Host A.B.C.D is the ISE node. I've verified that the client gets the ACL, but it isnt allowed to go to play.google.com so the passthru is misconfigured or doenst work. 

Im running ISE 1.3 with 3650. 

1 REPLY 1
gupn
Cisco Employee

Hi,

If my understanding is correct then as part of access-accept you would be sending url-redirect and url-redirect-acl as vsa string from ise. As part of access-accept, please send this cisco vsa string, "fqdn-acl-name=NSP". With this the feature would work. Please also note that this feature is for wireless clients only. 

Thank you,

Gururaja Pn

Content for Community-Ad