Controller-less WLANs

How to find what Domain ACls are being resolved in pre-auth role
Q:

How to find what Domain ACls are being resolved from the list in pre-auth role and optimize the configuration accordingly?



A:

Instant 4.0 supports configuration of domain-based Access Control List (ACL) rule. These are similar to regular ACLs, but the destination is mentioned as domain name instead of destination IP addresses.  Domain based ACLs are most commonly used in Guest network to white-list HTTPs services such as Apple App Store and Android Market Place in pre-auth role. As these HTTPs web services does not have fixed public IP addresses and may change at any point the only solution is to have domain name acls configured as needed.

 

In the below example 1, we have allowed access to Google store for WLAN user to download Quick Connect in pre-auth role. Not all the domain acls added below may be used to complete the quick connect download and to find what domains are being resolved, we can execute "show datapath dns-id-map". This command basically maintains DNS cache for request/response intercepted by IAP from client devices.

 

Example 1:

18:64:72:c2:43:b2# show access-rule Onboard-Redirect

Access Rules
------------
Dest IP  Dest Mask                   Dest Match  Protocol (id:sport:eport)  Application  Action  Log  TOS  802.1P  Blacklist  App Throttle (Up:Down)  Mirror  DisScan  ClassifyMedia
-------  ---------                   ----------  -------------------------  -----------  ------  ---  ---  ------  ---------  ----------------------  ------  -------  -------------
any      any                         match       any                                     permit  Yes
alias    www.apple.com               match       any                                     permit
alias    google.com                  match       any                                     permit
alias    play.google.com             match       any                                     permit
alias    1e100.net                   match       any                                     permit
alias    mtalk.google.com            match       any                                     permit
alias    clients4.google.com         match       any                                     permit
alias    android.clients.google.com  match       any                                     permit
alias    googleapis.com              match       any                                     permit
alias    play.googleapis.com         match       any                                     permit
Vlan Id           :0
ACL Captive Portal:external
ACL ECP Profile   :Onboard
CALEA             :disable
Bandwidth Limit   :downstream disable upstream disable

 

 

18:64:72:c8:20:a0# show datapath dns-id-map
entry:0 id:1 play.google.com
entry:1 id:2 *.google.com
216.58.220.46 74.125.68.188
entry:2 id:3 1e100.net
entry:3 id:4 mtalk.google.com
entry:4 id:5 clients4.google.com
entry:5 id:6 android.clients.google.com
entry:6 id:7 googleapis.com
216.58.220.42
entry:7 id:8 play.googleapis.com
entry:8 id:9 *ggpht.com
216.58.196.97
entry:9 id:10 *gvt1.com
182.79.251.15

 

In the above output, the only domains used to complete the quick connect download from Google store was  *.google.com, googleapis.com, *ggpht.com and *gvt1.com. Now that we know the list of domain acls being used we optimized the pre-auth role(Example 2) to have those ACLs only.

 

Example 2:

18:64:72:c8:20:a0# show access-rule Onboard-Redirect
 
Access Rules
------------
Dest IP  Dest Mask       Dest Match  Protocol (id:sport:eport)  Application  Action  Log  TOS  802.1P  Blacklist  App Throttle (Up:Down)  Mirror  DisScan  ClassifyMedia
-------  ---------       ----------  -------------------------  -----------  ------  ---  ---  ------  ---------  ----------------------  ------  -------  -------------
alias    *.google.com    match       any                                     permit
alias    googleapis.com  match       any                                     permit
alias    .*ggpht.com     match       https                                   permit
alias    .*gvt1.com      match       https                                   permit
Vlan Id           :0

 

18:64:72:c8:20:a0# show datapath dns-id-map
entry:0 id:1 *.google.com
216.58.220.46 74.125.130.188 216.58.220.36 216.58.196.110
entry:1 id:2 googleapis.com
216.58.220.42
entry:2 id:3 *ggpht.com
216.58.196.97
entry:3 id:4 *gvt1.com
182.79.251.15

 

Version history
Revision #:
2 of 2
Last update:
‎04-01-2017 11:07 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.