Posturing for Windows updates using DNS-based ACLs
I have an 'employee' 802.1x wireless network set up and receiving AAA through ISE. The vWLC is running v220.127.116.11. I am using ISE 1.2.1. Everything is working fine without posturing. I set up posturing and the check is working fine. When the device is 'non-compliant', the remediation action is to launch Windows Updates.
Microsoft documentation lists access to these sites for Windows Updates to function...
With that many URLs, global load balancing, etc, it is impossible to add all the IPs needed for this to function. Therefore, new for v7.6, Cisco introduced DNS-based ACLs where the controller performs DNS snooping to see the client traffic and resolve the DNS names to IPs. It then allows the client access to those IPs.
I added these domains to the ACL...
It is not working. Windows Updates are failing because they can't access those sites above. Has anyone gotten DNS-based ACLs working with Radius NAC posturing or CWA?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...