02-27-2012 04:09 PM
We've got a captive portal setup on one of our legacy networks where the portal pages show when someone has failed to authenticate via MAC address. Since we're allowing them online so that they can see the portal and don't want to force a user to change their possibly static DNS configurations, I was wondering if we might be able to redirect the DNS queries while they're in the unauthenticated role ... then allow their DNS traffic anywhere once they've authenticated successfully.
This is basically to address the DNSchanger trojan behavior w/o breaking anything we're currently allowing our users to do. I'd probably prefer to force them to use OpenDNS, but as this unauthenticated->authenticated role change does not send the user off to DHCP again, I can't do this from the DHCP server. I haven't seen UDP redirection in the controller (yet), but it seemed like this would be a possible approach (and perhaps clean up problem cases for our guest network, too).
02-27-2012 04:38 PM
You can try the rule "user any svc-dns dst-nat ip 220.127.116.11"
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs