DNS based ACL doesn't work

Karel Navratil · ‎08-11-2014

Hi,

has anybody experience with settings DNS based ACL?

We need to allow iPads / iPhones to allow Apple App Store, however they are using Akamai network for that. Since WLC support only 64 rules, it's impossible to add all the subnets.

So I think, that the DNS based ACL can do it's job here. However it doesn't work as expected.

I put the string into the correct ACL:

URLs configured in this ACL
---------------------------
*.apple.co

And when I tried with the client, the access is still denied.

Here is the detail for the client:

Policy Manager State............................. WEBAUTH_REQD
Policy Manager Rule Created...................... Yes
AAA Override ACL Name............................ MDMOnboarding
AAA Override ACL Applied Status.................. Yes
AAA Override Flex ACL Name....................... none
AAA Override Flex ACL Applied Status............. Unavailable
AAA URL redirect................................. https://x.x.x.x/mifs/c/d/clientdownload.html

--More-- or (q)uit
Audit Session ID................................. 0a9a05e10000072453e89a71
AAA Role Type.................................... none
Local Policy Applied............................. none
IPv4 ACL Name.................................... NoPrivateNetworks

And the Allowed (URL) IP Addresses are not populated as it should be.

--More-- or (q)uit
DNS server IP ............................. 194.228.41.113
DNS server IP ............................. 8.8.8.8
Assisted Roaming Prediction List details:

Client Dhcp Required: True
Allowed (URL)IP Addresses
-------------------------

Does anybody have an idea?

WLC version is 7.6.120.0

Thanks!

K.