I know, I've configured WPA2/802.1x and it works allright.

But I need guest/frast internet access with no supplicant installed and WPA2/802.1x is no option since it forces users to tweak their (WLAN/network/certificate) settings first.

I could implement WPA2/802.1x guest access, I'm using Packetefence wchich handles this task very well, but Windows-based computers fail to accept self-signed certificate (with extensions) to use it to set up TTLS part of PEAP sesion. OK, nice and subtle way of forcing users to pay $350/yr for a "wireless certificate" which is nothing more than a simple $50 certificate but with extensions addedd.

So I decided to go with open SSID and web auth.

Then it looks like you reach to a dead end...

Wireless WEB AUTH security mode in WLC simply does not support VLAN assignment...

HTH,

Tiago

OK, but what will suit me is to prevent users access real-world DNS servers before they authenticate. This way I can define several WLANs with the same web auth radius database but diffrent access rights. But it seems pre-auth ACL does not allow to prevent DNS access and this really sucks, security-wise.

I guess you are missing the concept of WEB auth.

DNS traffic is a MUST in web auth.

The way WEB Auth works is the following:

1 - Client associates.

2 - Client gets IP address.

3 - Opens Web browser.

4 - User types url.

5 - PC needs to resolve URL using DNS.

6 - After getting the IP address of host in URL, it send HTTP traffic.

7 - WLC intercepts HTTP traffic and redirects client to the login page.

Now, WLC will only redirect the client to the login page if it "sees" HTTP traffic from th eclient IP address.

If you open a browser and type an URL, if it cannot be resolved, the client will never know the ip address and will never know wehre to send the HTTP packets, and will not be redirected to the login page.

If there is no DNS traffic allowed, the only way to get to the login page is if the clients try to access an URL based on ip address rather than hostname like for example:  http://66.102.13.105 instead of http://www.google.com.

HTH,

Tiago

Not really. I know DNS is required for web auth to intercept user's request. It wouldn't be any traffic if there was no DNS available.

But enabling users to communicate using DNS protocol [53/udp] before they authenticate opens a security hole, where you can bypass the authorization requirement and create a "small-but-efficient" tunnel between your node and a speciailly configured DNS server on the net. This way you wouldn't see any abnormal traffic passing and yet, hacking/bypassing could be perfomed easily.

Just take look at http://www.dnstunnel.de/. Even script kiddies can bypass web auth with no DNS filtering.

So I decided to pass three nameservers in DHCP OFFER packets. The first two are actual DNS servers but they are disabled by pre-auth rule, and the third one is a "fake" DNS which returns the same IP for every request, with TTL set to 0 so nodes won't cache the "fake" answers.

When an user is authenticated, the pre-auth ACL disappears and the two nameservers start to deliver replies to the client. Nodes never query the third one unless both "real" nameservers go down.

But for some reason, the controller is allowing DNS traffic despite me putting a "deny" rule in pre-auth which completly invalidates the idea of authorising an acces. I wouldn't mind if the "default deny" rule would allow DNS, but implicit "deny DNS requests to DHCP nameservers" rule gets overriden by controller, which is a very bad idea -- as an administrator if I put such a rule I know what I'm trying to achieve and 4402 shouldn't try to be smarter.

Ok, then your config makes sense and the pre-auth ACL should work.

Here is an example of ACLs in the WLC in case you want to make you did it properly:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807810d1.shtml.

If you want we can take a look into the config and assist you on the configuration.

Another option is to open a SR if you believe the WLC is behaving not as expected.

HTH,

Tiago