Solved: Re: Guest Anchor (Mobility) and FQDN ACL's not working

PWJPW · ‎10-30-2017

We have a customer using webauth etc but we're unable to get the FQDN ACL working properly. They are using a guest anchor (mobility).

We have set the ACL on both controllers and added the URL's to the ACL. If we remove the anchor and use the foreign controller the same FQDN ACL works just fine. Version is 8.2.100.0 on both controllers.

Traffic does not appear to be allowed for any of these domains. If I add some IP's using the old IP ACL method, traffic is permitted.

Can you advise is FQDN ACL's are not supported when using a guest anchor, or if this is a bug?

Thank you,

James

Flavio Miranda · ‎10-30-2017

As per your description, the first thing that comes to mind is DNS, however, looking at Cisco documentation, I have found this Restriction list:

--Restrictions on DNS-based Access Control Lists
--Maximum of 10 URLs can be allowed for an access control list.
--On the Cisco WLC, 20 IP addresses are allowed for one client.
--Local authentication is not supported for FlexConnect APs.
--DNS-based ACLs are not supported on FlexConnect APs with Local Switching.
--DNS-based ACLs are not supported on Cisco 1130 and 1240 series access points.
--Authentication traffic has to go through the Cisco WLC for this feature to be supported, even if DNS-based ACL is local to the AP.
**--If a client is anchored, be it auto-anchor or after roaming, DNS-based ACLs do not work.--**

According to the last statement, it is not supported for Anchored Clients.

-If I helped you somehow, please, rate it as useful.-

View solution in original post

Flavio Miranda · ‎10-30-2017

Hello @PWJPW

I presume that Foreign WLC is placed on the Corp network and probably have full access to a DNS service. What about the Anchor which probably is on the DMZ where usually most of traffic is restricted? Does the Anchor can reach a DNS service?

-If I helped you somehow, please, rate it as useful.-

PWJPW · ‎10-30-2017

Hi Flavio

Thanks for the reply.

Actually, the guest anchor has full Internet access including DNS. If I allow standard IP's inside the ACL the clients can reach the host names that resolve to those IP's. I also tested it in my lab, on two 2504 WLC's that are on the same LAN with full Internet/DNS and I replicated the problem.

Any thoughts on whether FQDN ACL's are supposed to work when using an anchor?

Thanks

Flavio Miranda · ‎10-30-2017

As per your description, the first thing that comes to mind is DNS, however, looking at Cisco documentation, I have found this Restriction list:

--Restrictions on DNS-based Access Control Lists
--Maximum of 10 URLs can be allowed for an access control list.
--On the Cisco WLC, 20 IP addresses are allowed for one client.
--Local authentication is not supported for FlexConnect APs.
--DNS-based ACLs are not supported on FlexConnect APs with Local Switching.
--DNS-based ACLs are not supported on Cisco 1130 and 1240 series access points.
--Authentication traffic has to go through the Cisco WLC for this feature to be supported, even if DNS-based ACL is local to the AP.
**--If a client is anchored, be it auto-anchor or after roaming, DNS-based ACLs do not work.--**

According to the last statement, it is not supported for Anchored Clients.

-If I helped you somehow, please, rate it as useful.-

PWJPW · ‎10-30-2017

Good spot. That's a shame though...