cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

Using DNS-Based ACL for Chromebooks and Android Devices

1858
Views
13
Helpful
2
Comments

ISE BYOD allows administrators to push digital certificates and network settings to the personal endpoints that user brings in to the managed network in a secure way. For Android device and Chromebook, it requires endpoint access to the Google playstore and Chrome extensions while going through the ISE BYOD process. This is different from Apple iDevice, MacOSX, and Windows BYOD process. For Apple iDevice ISE leverages native OTA capabilities to provision certificates and network settings, and for MacOSX and Windows ISE provides Network Setup Assistant that is pushed to the endpoint locally from the ISE node which does not require endpoint access beyond the ISE node itself.

To allow the Android devices and Chromebook to download the Network Setup Assistant, the easiest way to control access to the Google playstore and Chrome extension is via DNS ACL feature available on Cisco WLC 7.6 and above. This feature works by snooping the endpoint DNS request from the AP and dynamically inserting IP ACL for the DNS response that endpoint gets from the DNS server. Aside from the WLC version, here are additional notes around this feature:

  • The ACL prepends and appends wildcard which means a string value of .google.co will match play.google.com and also www.google.co.ca
  • Not supported on FlexConnect locally switched WLAN
  • Not supported on auto-anchored WLAN
  • WLC AireOS version 8.2 and above can support up to 20 DNS ACE while previous versions can support up to 10 DNS ACE

Due to the last note above, it is important to craft an ACL that is less than 10 ACE to support an environment with different version of WLC. Here is an ACL that works for both the android devices and Chromebooks:

.google.co

accounts.youtube.com

gstatic.com

.googleapis.com

.appspot.com

ggpht.com

gvt1.com

market.android.com

android.pool.ntp.org

.googleusercontent.com

.google-analytics.com

If the ACL is used for Android devices only and not for Chromebooks, then last two ACE can be removed. If additional space for entry is needed then android.pool.ntp.org can also be replaced with an IP based ACE to allow NTP traffic.

For more information on the DNS ACL please check out the Cisco WLC 7.6 release note:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_0110101.html#d137582e1794a1635

Comments
Enthusiast

Do these ACL DNS exclusions allow the device to be enrolled to the Google Admin panel through the Chrome-MAB SSID?  Or does the first time Google Admin device enrollment need to take place on another network?

Thank you for all of the detailed guides on ISE and Chromebook on-boarding!

Cisco Employee

The ACL referenced above allows Chromebook enrollment.