ArubaOS and Controllers

Reply
MVP
Posts: 371
Registered: ‎01-14-2010

DNS lookups and Firewall destinations

All,

I'd like to block a specific DNS domain from being accessed by a specific role. I've been going through the process and found that you can do this under:

Advanced Services > Stateful Firewall > Destinations > Add Destination

In this menu you can create a destination and then specify the "name" and the DNS name. The only problem is that every time I type in a DNS name it does not save. I've successfully added a range, host, and network without issue.

This got me thinking. The problem may be that the controller may not have DNS lookups enabled. I went to the CLI and did a search for "domain," "name," and "dns," all coming up blank.

I did find that controller supported the following "Cisco-ish" commands:

conf t
ip name server
ip domain-name
ip domain lookup

I'm wondering if other people on the forum had to instantiate the previous commands in order to get the firewall name destinations working. Also, is there a WebGUI way of doing the following commands?

I did goof with these commands and it said that I would need to reboot the controller in order to take effect - something I'll have to do after hours if this is the case.

The controller is running 3.4.2.5.

Thanks for all your help!

-Mike
Guru Elite
Posts: 21,280
Registered: ‎03-29-2007

Blocking DNS domains

You cannot block DNS domains. The despite as it appears, you cannot do this.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 371
Registered: ‎01-14-2010

Re: DNS lookups and Firewall destinations

Hi Colin,

Here's what I'm trying to do. I'm running two SSIDs: one of them is open and the other is secured with WPA-Enterprise / 802.1x. The open SSID links to a captive portal where users can authenticate as a non-authorized guest / not in the "Internal" database or as an AD user. The roles from the captive portal all have bandwidth restrictions at this point. I'd also like to block some of the more popular sites like Facebook and Youtube on this SSID in order to drive people to the 802.1x network which does not have any role restrictions.

I was hoping to use the stateful firewall feature to block access to these domains. Is there another way to do this other than adding a DNS entry for the open SSID on our firewall?

Thanks for any help that you can offer!

-Mike
Guru Elite
Posts: 21,280
Registered: ‎03-29-2007

No.


Hi Colin,

Here's what I'm trying to do. I'm running two SSIDs: one of them is open and the other is secured with WPA-Enterprise / 802.1x. The open SSID links to a captive portal where users can authenticate as a non-authorized guest / not in the "Internal" database or as an AD user. The roles from the captive portal all have bandwidth restrictions at this point. I'd also like to block some of the more popular sites like Facebook and Youtube on this SSID in order to drive people to the 802.1x network which does not have any role restrictions.

I was hoping to use the stateful firewall feature to block access to these domains. Is there another way to do this other than adding a DNS entry for the open SSID on our firewall?

Thanks for any help that you can offer!

-Mike




Not any way that I can think of.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 371
Registered: ‎01-14-2010

Re: DNS lookups and Firewall destinations

Colin,

Thanks for the reply! I'll let you know if I end up finding away to figure this out.

-Mike
Guru Elite
Posts: 21,280
Registered: ‎03-29-2007

Open DNS

This is not an advertisement, but Open DNS (www.opendns.com) offers web filtering. You can have guests on your "guest" portal get Open DNS's DNS server address and filter those users. You can then give the 802.1x users a different, internal DNS server address where facebook is not blocked. It is NOT very high tech, but for most users it will work. You can also make the guest SSID very slow by configuring a low bandwidth contract, and limit the firewall services, so that it is very unattractive to 802.1x users. There was a thread for keeping regular users off the guest network here: http://airheads.arubanetworks.com/vBulletin/showthread.php?t=785


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: