Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
871
Views
0
Helpful
1
Replies

FQDN ACL on 3650/3850 with centralized webauth

robertbrink1
Level 1
Level 1

‎03-25-2015 12:15 AM - edited ‎03-10-2019 10:35 PM

Hi.

I'm trying to understand and use the fqdn acl on the IOS-XE platform. Has anyone tried this?

What Im trying to achieve is allowing android clients to download the native supplicant software from Google Play store without having a ACL with alot of IP addresses. The documentation of fqdn acl is very slim and not so much help. 

Desired result: Clients are allowed to go to play.google.com and android.clients.google.com, but everything else has to be redirected to ISE. 

 

ip access-list extended NSP
 deny   udp any eq bootps any
 deny   udp any any eq bootpc
 deny   udp any eq bootpc any
 deny   udp any any eq domain
 deny   tcp any any eq domain
 deny   icmp any any
 deny   ip any host A.B.C.D
 permit ip any any
 exit
 !
passthru-domain-list NSP
match play.google.com
match android.clients.google.com
exit
!
access-session passthru-access-group NSP passthru-domain-list NSP

 

Host A.B.C.D is the ISE node. I've verified that the client gets the ACL, but it isnt allowed to go to play.google.com so the passthru is misconfigured or doenst work. 

Im running ISE 1.3 with 3650. 

1 person had this problem
Labels:
0 Helpful
1 Reply 1

gupn
Cisco Employee
Cisco Employee

‎07-21-2016 09:14 PM

Hi,

If my understanding is correct then as part of access-accept you would be sending url-redirect and url-redirect-acl as vsa string from ise. As part of access-accept, please send this cisco vsa string, "fqdn-acl-name=NSP". With this the feature would work. Please also note that this feature is for wireless clients only. 

Thank you,

Gururaja Pn

0 Helpful
Customers Also Viewed These Support Documents