cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
886
Views
0
Helpful
6
Replies

DNS Access-lists on WLC 8.2

Roger Base
Level 1
Level 1

Hi Everybody.

I am trying to get my DNS access-list to work on 2502 8.2 code WLC. But for some reason it dosent work in the Pre_auth (nac access phase)  of the guest solution. The guest user are being redirected to my portal page. ( I am using layer2 security where ISE sends the redirect and acl av pairs back to WLC ). Does anybody know why this dosent work with DNS access-lists?

(My pre_auth acl does contain both IP address and DNS names)

btw. What I want to do is to give my guest users access to my portal page (login page with redirection) but they should also be able to access some certain websites it could be cnn.com/2015/news for example before they are actually authenticated. After authentication they should have full access which works without any problems.

6 Replies 6

Francesco Molino
VIP Alumni
VIP Alumni

Hi

Which version are you using? 

There was a bug (CSCus61445) and normally it should be solved on latest release.

Have a look here: 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus61445

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

As already mentioned. I am using code 8.2 which should t be affected by that bug. 

Hi

did you took client debugs on wlc to see if it's working?

could you maybe paste the debug?

otherwise you'll need to check with TAC if you're facing issue even after applying the bug fix. 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Yes. the only thing I see in the debug regarding the access-list is this.

*apfReceiveTask: Jul 13 11:21:08.608: 00:24:d7:2f:5d:08 Sending DNS Snooping - snooping[1] Virtual IP[192.0.2.1] Acl[Pre_External_Auth]

Is there any debug command that shows when access-list are allowing or denying on WLC?

You can try debug packet logging acl ip or do a packet capture. 

Could you paste your acl just to have a look? Otherwise you'll need to call TAC. 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mohanak
Cisco Employee
Cisco Employee
Review Cisco Networking for a $25 gift card