02-01-2015 02:12 AM - edited 07-05-2021 02:23 AM
hi
is it possible to block dns query before web authentication ?
thanks
02-01-2015 03:22 AM
You can achieve it through the pre-authentication access-list. If you are using a URL name for web authentication, then don't block the DNS queries before authentication.
CF
02-01-2015 09:39 AM
This is the preauth acl
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71881-ext-web-auth-wlc.html
02-01-2015 08:55 PM
but if i block dns before authentication, the client can't resolve the web server ip address so it will not be able to initiate the first SYN so it will never be intercepted and authenticated.
i raised this issue because the security company that made the assesment said they can browse without authentication using some proxy that work on port UDP 53 (DNS): controller will see only dns traffic but inside there is http.
i beleive we can't find a solution for this problem
02-01-2015 11:31 PM
I don't know how http packet is encapsulated as UDP 53 traffic.
Can you try giving web authentication in IP only and not the FQDN format and then block all DNS in pre-auth. ie, directly give the web server IP instead of FQDN in WLC. This way ,client will not need DNS resolution before web authentication.
Krishna
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide