Thanks Curtis. Good to know this DNS ACL feature works with non-ISE third party NAC solutions.
--- Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca www.uoguelph.ca/ccs ----- Original Message ----- From: "Curtis K. Larsen" <curtis.k.lar...@utah.edu> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Wednesday, January 14, 2015 7:16:43 PM Subject: Re: [WIRELESS-LAN] New Device Activation WLAN We are using the ACL's returned from PacketFence on a Guest WLAN which is configured using MAC-filtering and RADIUS-NAC. I just tested this with the DNS ACL and it is working fine. Thanks, Curtis Larsen University of Utah Wireless Network Engineer From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Dennis Xu [d...@uoguelph.ca] Sent: Friday, January 09, 2015 8:32 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New Device Activation WLAN I did not have any luck with dns acl feature without having ISE. Our onboarding SSID is using local web authentication(versus central web authentication or Radius NAC) and I couldn't make the DNS ACL work in our setup. I opened a case with TAC and found out actually DNS ACL has to work in central web authentication setup(needs ISE to return the redirect-ACL attribute to WLC). This point was not clear written in 7.6 configuration guide, but they fixed it and made it clear in the 8.0 configuration guide. http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0110101.html "DNS-based ACLs work only when RADIUS NAC (central web authentication or posture) are done on the SSID. DNS-based ACLs do not work with local web authentication or any other form of ACL other than a redirect-ACL used in the case of RADIUS NAC." Has anyone successfully deployed the Cisco WLC DNS ACL feature? --- Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca www.uoguelph.ca/ccs ----- Original Message ----- From: "Trent Hurt" <trent.h...@louisville.edu> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Thursday, January 8, 2015 8:53:41 PM Subject: Re: [WIRELESS-LAN] New Device Activation WLAN 7.6 and up have dns acl featureā¦ http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_0110101.html#concept_AEEDD6D25578413784092B48A4636163 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Britton Anderson Sent: Thursday, January 08, 2015 8:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] New Device Activation WLAN These devices prompt for a wireless network during the activation process, but won't let a webauth succeed. I like Hunter's idea of adding the Apple/Google/Antivirus sites to the pre-webauth ACL. Cisco WLC's won't let you use DNS names for ACL entries, d'oh! Is there a known list of these hosts somewhere before I go sniffing wireless traffic? Thanks, Britton Britton Anderson | Senior Network Communications Specialist | University of Alaska | 907.450.8250 On Thu, Jan 8, 2015 at 4:24 PM, Mike King < m...@mpking.com > wrote: Maybe I'm over simplifying this, but for the "average" user, don't those devices have to be activated BEFORE you can see the settings screen? Mike On Thu, Jan 8, 2015 at 6:31 PM, Hunter Fuller < hf0...@uah.edu > wrote: This is what we do. While not authenticated to wireless you can still get to a few places - Microsoft, apple, Google search, antivirus vendors. -- Hunter Fuller OIT Sent from my phone. On Jan 8, 2015 5:11 PM, "Frank Sweetser" < f...@wpi.edu > wrote: We already have an unencrypted ssid for students to get to our onboarding system (Cloudpath). Our plan for this summer is to poke enough firewall holes for students to also run through the device activation process. If we were to try to impose any kind of device security policies, we would do it in the onboarding process. On January 8, 2015 5:54:01 PM EST, Britton Anderson < blanders...@alaska.edu > wrote: I just wanted to ask the question to see what all of you are doing at your institutions to handle users activating new devices. New iOS devices for example have to reach out to iCloud to validate themselves and make sure they're not stolen. Android now with version 5 is very similar, having to reach out to the mothership and join to a Google account. Are any of you doing an "SSID-Activate" WLAN, or requiring clients to bring it by your respective Help Desks for activation? Right now, we are requiring anyone that wants a device activated to have our Desktop techs touch it and give them pointers to secure it. However, we've lost some budget, and some employees, and they can't keep a guy in the office to handle that influx of people anymore. And I don't want the headache of a wide open WLAN everywhere, and none of the devices will allow the webauth transaction to happen before the device ! is activated. Thanks, --Britton Britton Anderson | Senior Network Communications Specialist | University of Alaska | 907.450.8250 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
