FQDN ACL on 3650/3850 with centralized webauth

robertbrink1 · ‎03-25-2015

Hi.

I'm trying to understand and use the fqdn acl on the IOS-XE platform. Has anyone tried this?

What Im trying to achieve is allowing android clients to download the native supplicant software from Google Play store without having a ACL with alot of IP addresses. The documentation of fqdn acl is very slim and not so much help.

Desired result: Clients are allowed to go to play.google.com and android.clients.google.com, but everything else has to be redirected to ISE.

ip access-list extended NSP
deny udp any eq bootps any
deny udp any any eq bootpc
deny udp any eq bootpc any
deny udp any any eq domain
deny tcp any any eq domain
deny icmp any any
deny ip any host A.B.C.D
permit ip any any
exit
!
passthru-domain-list NSP
match play.google.com
match android.clients.google.com
exit
!
access-session passthru-access-group NSP passthru-domain-list NSP

Host A.B.C.D is the ISE node. I've verified that the client gets the ACL, but it isnt allowed to go to play.google.com so the passthru is misconfigured or doenst work.

Im running ISE 1.3 with 3650.

gupn · ‎07-21-2016

Hi,

If my understanding is correct then as part of access-accept you would be sending url-redirect and url-redirect-acl as vsa string from ise. As part of access-accept, please send this cisco vsa string, "fqdn-acl-name=NSP". With this the feature would work. Please also note that this feature is for wireless clients only.

Thank you,

Gururaja Pn