Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

4400 pre-auth acl and DNS requests

I have a weird situation regarding my WLC 4400 setup. In a nut shell: pre-auth acl does not work for DNS. Here's the description.

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.98.0
RTOS Version..................................... 7.0.98.0

I've defined two acls, one of which, "pre-auth" is used in WLAN id 2 on VLAN 7 [lan_guests]. It does "allow DNS to 10.0.2.75 disallow DNS elsewhere". This suits me, since in DHCP I pass three DNS-es, 10.0.3.3, 10.0.4.3, which are legitimate (W)LAN DNS servers, and 10.0.2.75 which is a dummy DNS server, returning just one IP for all. With this setup I'm trying to prevent non-authorized users in VLAN 7 [192.168.244.0/24] using DNS before they authenticate against built-in web portal [which is configured to access RADIUS]. I block the legitimate DNS servers and leave only the dummy one, to allow nodes to get the authorization screen but prevent DNS tunnels. Here's the setup:

(Cisco Controller) >show acl summary

ACL Counter Status               Enabled
----------------------------------------
ACL Name                         Applied
-------------------------------- -------
pre-auth                         Yes   
no-dns                           Yes  

(Cisco Controller) >show acl detailed pre-auth

                       Source                        Destination                Source Port  Dest Port
Index  Dir       IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP  Action      Counter
------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------
     1  In   192.168.244.0/255.255.255.0         10.0.2.75/255.255.255.255   17     0-65535    53-53     Any Permit          30
     2  In   192.168.244.0/255.255.255.0         10.0.2.75/255.255.255.255    6     0-65535    53-53     Any Permit           0
     3 Out       10.0.2.75/255.255.255.255   192.168.244.0/255.255.255.0     17    53-53        0-65535  Any Permit          30
     4 Out       10.0.2.75/255.255.255.255   192.168.244.0/255.255.255.0      6    53-53        0-65535  Any Permit           0
     5  In   192.168.244.0/255.255.255.0           0.0.0.0/0.0.0.0           17     0-65535    53-53     Any   Deny         322
     6 Out         0.0.0.0/0.0.0.0           192.168.244.0/255.255.255.0     17    53-53        0-65535  Any   Deny         312
     7 Any   192.168.244.0/255.255.255.0           0.0.0.0/0.0.0.0            6     0-65535    53-53     Any   Deny           7
     8 Any         0.0.0.0/0.0.0.0           192.168.244.0/255.255.255.0      6    53-53        0-65535  Any   Deny           6

192.168.244.0/24 is "guest" IP subnet, 10.0.2.75 is "fake" DNS server [alos does DHCP]

(Cisco Controller) >show wlan 2

WLAN Identifier.................................. 2
Profile Name..................................... guestswelcome
Network Name (SSID).............................. guests-wlan
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control

  NAC-State...................................... Disabled
  Quarantine VLAN................................ 0
Number of Active Clients......................... 4
Exclusionlist Timeout............................ 5 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ lan_guests
WLAN ACL......................................... unconfigured
DHCP Server...................................... 10.0.2.75
DHCP Address Assignment Required................. Enabled

--More-- or (q)uit
Quality of Service............................... Bronze (background)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Drop
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ 10.0.2.75 1812
   Accounting.................................... Disabled
   Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security

   802.11 Authentication:........................ Open System

--More-- or (q)uit
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Disabled
   CKIP ......................................... Disabled
   IP Security................................... Disabled
   IP Security Passthru.......................... Disabled
   Web Based Authentication...................... Enabled
        ACL............................................. pre-auth

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

        Web Authentication server precedence:
        1............................................... radius
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   H-REAP Local Switching........................ Disabled
   H-REAP Learn IP Address....................... Enabled
   Client MFP.................................... Optional but inactive (WPA2 not configured)
   Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled

Whats more  funny, the counters on this "pre-auth" acl are actually INCREMENTED which makes  this problem a little more puzzling. Look:

(Cisco Controller) >show acl detailed pre-auth

(...)

     5  In   192.168.244.0/255.255.255.0           0.0.0.0/0.0.0.0           17     0-65535    53-53     Any   Deny         322
     6 Out         0.0.0.0/0.0.0.0           192.168.244.0/255.255.255.0     17    53-53        0-65535  Any   Deny         312

Now I do "nslookup a4.com 10.0.3.3" on one of the non-authorized Windows machines that attached to this WLAN. And I get:

(Cisco Controller) >show acl detailed pre-auth

(...)

     5  In   192.168.244.0/255.255.255.0           0.0.0.0/0.0.0.0           17     0-65535    53-53     Any   Deny         330
     6 Out         0.0.0.0/0.0.0.0           192.168.244.0/255.255.255.0     17    53-53        0-65535  Any   Deny         320

This worked flawlessly in 4.2 software. I had to upgrade to 5.0 to be able  to handle intermediate certificates and, since the upgrade, DNS is never  blocked when "pre-auth" is used [before user authorizes]. And up until 7.0, this "feature" persist.

Did anyone encounter this strange behaviour?

Everyone's tags (1)
3 REPLIES

Re: 4400 pre-auth acl and DNS requests

Ok, I'm not fully understanding what the issue is here.

Are the guests not able to get to the webauth page?  Is it that you are seeing the DNS deny being hit?  What order are the DNS servers provided in the scope?  You could be seeing the deny incrementing, if the client tries all the servers in it's list.

**FYI**

     You shouldn't need the TCP DNS portion in the pre-auth ACL, that's for zone transfers, UDP DNS should be enough.  Also you could even more simplify this by only using lines 1 and 3.  Allow guest --> DNS and DNS --> guest, as there is an implicit deny at the end of the ACL.

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: 4400 pre-auth acl and DNS requests

OK, I see I need to clarify my problem.

I've created a non-encrypted WLAN for guests. When they associate, they get DHCP response with three nameservers, two "good" ones and one "fake". In pre-authorization acl I block the "good" servers so users get "fake" IPs with 1s TTL just to make the browser try to make a connection, thus triggering the controller to authorize it using built-in portal. As soon as credentials are OK, acl is switched off and users start using "good" nameservers.

This method worked on 4.2 software, but since 5.0 upgrade, 53/tcp and 53/udp packets are not blocked anymore, but they DO increment counters in acl usage. And this is consistent up to 7.0 software.

What I'm trying to avioid is the users setting a DNS tunnel to bypass my authorization scheme since it's a considerable security risk.

It seems some "stealth" acl takes precedence over my pre-auth "DNS DENY" rules. But why? And how can I disable it?

New Member

Re: 4400 pre-auth acl and DNS requests

It seems that the acl that's defined in GUI is changed before user authorizes. For no obvious reason. This is my "debug pem events enable" output. ACL ID 0 "pre-auth" is the one I've configured in GUI.

*apfMsConnTask_0: Nov 15 12:55:51.970: 2c:81:58:eb:d9:98 0.0.0.0 START (0) Changing ACL 'pre-auth' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
*apfMsConnTask_0: Nov 15 12:55:51.970: 2c:81:58:eb:d9:98 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
*apfMsConnTask_0: Nov 15 12:55:51.970: 2c:81:58:eb:d9:98 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Nov 15 12:55:51.970: 2c:81:58:eb:d9:98 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:15:63:6f:66:90 vapId 2 apVapId 2
*apfReceiveTask: Nov 15 12:55:51.972: 2c:81:58:eb:d9:98 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfReceiveTask: Nov 15 12:55:51.972: 2c:81:58:eb:d9:98 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4182, Adding TMP rule
*apfReceiveTask: Nov 15 09:43:51.972: 2c:81:58:eb:d9:98 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
  type = Airespace AP - Learn IP address
  on AP 00:15:63:6f:66:90, slot 0, interface = 29, QOS = 3
  ACL Id = 255, Jumbo F
*apfReceiveTask: Nov 15 12:55:51.972: 2c:81:58:eb:d9:98 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006  IPv6 Vlan = 7, IPv6 intf id = 13
*apfReceiveTask: Nov 15 12:55:51.972: 2c:81:58:eb:d9:98 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*pemReceiveTask: Nov 15 12:55:51.976: 2c:81:58:eb:d9:98 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Nov 15 12:55:51.976: 2c:81:58:eb:d9:98 Sent an XID frame

1176
Views
0
Helpful
3
Replies