Thanks Jason.

I just had one clarification and I think the below link talks about it.

https://community.cisco.com/t5/wireless-mobility-documents/central-web-authentication-cwa-for-guests-with-ise/ta-p/3121101

"This ACL will be referenced in the access-accept of the ISE and will define what traffic should be redirected (denied by ACL), and what traffic shouldn't (permitted by the ACL"

The above statement does not mention that the ACL will also act as a pre-auth ACL.

I guess the customer was expecting the ACL to also block traffic and this was brought up in their pen testing.

They had only their internal DNS server permitted in the ACL and the pen tester was able to query public DNS server. 

Attached is the screenshot.

I have redacted IPs to and from their DNS server.

They are able to perform nslookup against 8.8.8.8.

In addition to explicitly allowing your DNS servers, you also need another ACL near the bottom to deny any other DNS traffic.

There should be an implicit deny all at the end, but maybe the WLCs don't do that for redirect ACLs.  I always put a deny all at the end of the redirect ACL.

Umahar, also you can clean up that ACL a bit.  You don't need to put both directions in the ACL if you make your first line:

permit any any direction outbound

We don't care about the outbound direction (network->client).  We only care about inbound.  I always cringe when I see both directions in the ACL.  Makes it a bit tougher to read and doubles your chance to make a typo.

Just to give you an example here is my standard redirect ACL with subnet erased.

Thanks Hosuk and Paul. 

Just tried in my lab and I was able to block adding a Deny.

The only reason I went thinking into this direction because the Wireless expert mentioned earlier that no implicit deny is required and I ruled that out.

When endpoint is in WebAuth state the pre-auth ACL allows DNS traffic even with implicit deny. So you need to specify deny statement at the end to deny DNS to other untrusted DNS servers. Either deny any or deny DNS works.