10-30-2017 02:31 AM - edited 07-05-2021 07:47 AM
Solved! Go to Solution.
10-30-2017 06:31 AM
As per your description, the first thing that comes to mind is DNS, however, looking at Cisco documentation, I have found this Restriction list:
--Restrictions on DNS-based Access Control Lists
--Maximum of 10 URLs can be allowed for an access control list.
--On the Cisco WLC, 20 IP addresses are allowed for one client.
--Local authentication is not supported for FlexConnect APs.
--DNS-based ACLs are not supported on FlexConnect APs with Local Switching.
--DNS-based ACLs are not supported on Cisco 1130 and 1240 series access points.
--Authentication traffic has to go through the Cisco WLC for this feature to be supported, even if DNS-based ACL is local to the AP.
**--If a client is anchored, be it auto-anchor or after roaming, DNS-based ACLs do not work.--**
According to the last statement, it is not supported for Anchored Clients.
-If I helped you somehow, please, rate it as useful.-
10-30-2017 05:55 AM
Hello @PWJPW
I presume that Foreign WLC is placed on the Corp network and probably have full access to a DNS service. What about the Anchor which probably is on the DMZ where usually most of traffic is restricted? Does the Anchor can reach a DNS service?
-If I helped you somehow, please, rate it as useful.-
10-30-2017 06:20 AM
Hi Flavio
Thanks for the reply.
Actually, the guest anchor has full Internet access including DNS. If I allow standard IP's inside the ACL the clients can reach the host names that resolve to those IP's. I also tested it in my lab, on two 2504 WLC's that are on the same LAN with full Internet/DNS and I replicated the problem.
Any thoughts on whether FQDN ACL's are supposed to work when using an anchor?
Thanks
10-30-2017 06:31 AM
As per your description, the first thing that comes to mind is DNS, however, looking at Cisco documentation, I have found this Restriction list:
--Restrictions on DNS-based Access Control Lists
--Maximum of 10 URLs can be allowed for an access control list.
--On the Cisco WLC, 20 IP addresses are allowed for one client.
--Local authentication is not supported for FlexConnect APs.
--DNS-based ACLs are not supported on FlexConnect APs with Local Switching.
--DNS-based ACLs are not supported on Cisco 1130 and 1240 series access points.
--Authentication traffic has to go through the Cisco WLC for this feature to be supported, even if DNS-based ACL is local to the AP.
**--If a client is anchored, be it auto-anchor or after roaming, DNS-based ACLs do not work.--**
According to the last statement, it is not supported for Anchored Clients.
-If I helped you somehow, please, rate it as useful.-
10-30-2017 07:59 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide