Cisco Cisco 5508 Wireless Controller 기술 참조
5
Wireless BYOD with Identity Services Engine
DNS Based ACL Support for BYOD Clients
Description of the DNS based ACL:
•
DNS snooping will be performed on the AP.
•
Snooping will be performed per client until the registration is complete and the client is in
SUPPLICANT_PROVISIONING state.
SUPPLICANT_PROVISIONING state.
•
When the ACL configured with the URLs is received on the WLC, the capwap payload will be sent
to the AP enabling snooping on the client and the URLs to be snooped.
to the AP enabling snooping on the client and the URLs to be snooped.
•
With URL snooping in place, the AP will learn the IP address of the resolved domain name in the
DNS response.
DNS response.
•
If the domain name matches the configured URL, then the DNS response is parsed for the IP
address, and the IP address is sent to the WLC as a capwap payload.
address, and the IP address is sent to the WLC as a capwap payload.
•
The WLC will add the IP address to the allowed list of IP addresses in the mscb table and plumb the
data path with the IP address. With this the client will be able to pass data traffic – access the URLs
configured.
data path with the IP address. With this the client will be able to pass data traffic – access the URLs
configured.
Note
The feature is supported for both Local and FlexConnect mode for central authentication. When the
client is in the POSTURE_REQD state and the url-redirect-acl ACL is applied to the client, the AP will
do DNS Snooping and will be able to update the WLC with the IP addresses to be allowed.
client is in the POSTURE_REQD state and the url-redirect-acl ACL is applied to the client, the AP will
do DNS Snooping and will be able to update the WLC with the IP addresses to be allowed.
DNS Based ACL Process Flow
Upon AAA (ISE) returning the pre-auth ACL with pre-configured DNS based URLs, the flow will be as
such:
such:
•
WLC will send capwap payload to AP to enable DNS snooping for the URLs - allowed URL, ISE
URL.
URL.
•
AP snoops for the DNS query from the client.
a.
If the domain name matches the allowed URL, forward the request to the DNS server. Wait for
the response from the DNS server. Parse the DNS response and forward the DNS response with
only the 1st IP address resolved.
the response from the DNS server. Parse the DNS response and forward the DNS response with
only the 1st IP address resolved.
b.
If the domain name does not match, then the DNS response is forwarded as is back to the client.
•
In case the domain name matches, the 1st resolved IP address will be sent to the WLC in the capwap
payload.
payload.
•
WLC updates the client for the allowed IP address received from the AP.
•
When client does HTTP Get:
a.
The client will get redirected in case the ACL blocks the traffic.
b.
With allowed IP address the http traffic will be allowed.
•
Once the App is downloaded on the client and provisioning is complete, the ISE server sends CoA
session terminate to the WLC.
session terminate to the WLC.
Once the client is de-authenticated from the WLC, the AP will remove the flag for snooping per client
and disable snooping.
and disable snooping.