Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Posturing for Windows updates using DNS-based ACLs

Hi all,

I have an 'employee' 802.1x wireless network set up and receiving AAA through ISE.  The vWLC is running v7.6.130.0.  I am using ISE 1.2.1.  Everything is working fine without posturing.  I set up posturing and the check is working fine.  When the device is 'non-compliant', the remediation action is to launch Windows Updates.

Microsoft documentation lists access to these sites for Windows Updates to function...

http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://*.download.windowsupdate.com
http://stats.update.microsoft.com
http://ntservicepack.microsoft.com

With that many URLs, global load balancing, etc, it is impossible to add all the IPs needed for this to function.  Therefore, new for v7.6, Cisco introduced DNS-based ACLs where the controller performs DNS snooping to see the client traffic and resolve the DNS names to IPs.  It then allows the client access to those IPs.

I added these domains to the ACL...

microsoft.com
windowsupdate.com

It is not working.  Windows Updates are failing because they can't access those sites above.  Has anyone gotten DNS-based ACLs working with Radius NAC posturing or CWA?

34
Views
0
Helpful
0
Replies