Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
427
Views
0
Helpful
4
Replies

block dns query before web authentication

ohassairi
Level 5
Level 5

‎02-01-2015 02:12 AM - edited ‎07-05-2021 02:23 AM

hi

 

is it possible to block dns query before web authentication ?

 

 

thanks

Labels:
0 Helpful
4 Replies 4

Cisco Freak
Level 4
Level 4

‎02-01-2015 03:22 AM

You can achieve it through the pre-authentication access-list. If you are using a URL name for web authentication, then don't block the DNS queries before authentication.

 

CF

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to Cisco Freak

‎02-01-2015 09:39 AM

This is the preauth acl 

 

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71881-ext-web-auth-wlc.html

 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

ohassairi
Level 5
Level 5
In response to Cisco Freak

‎02-01-2015 08:55 PM

but if i block dns before authentication, the client can't resolve the web server ip address so it will not be able to initiate the first SYN so it will never be intercepted and authenticated.

i raised this issue because the security company that made the assesment said they can browse without authentication using some proxy that work on port UDP 53 (DNS): controller will see only dns traffic but inside there is http.

i beleive we can't  find a solution for this problem

0 Helpful

Cisco Freak
Level 4
Level 4
In response to ohassairi

‎02-01-2015 11:31 PM

I don't know how http packet is encapsulated as UDP 53 traffic. 

 

Can you try giving web authentication in IP only and not the FQDN format and then block all DNS in pre-auth. ie, directly give the web server IP instead of FQDN in WLC. This way ,client will not need DNS resolution before web authentication.

 

Krishna

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card