Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Can someone explain to me how does the session access-lists work with the type "name"?

This thread has been viewed 0 times

  • 1.  Can someone explain to me how does the session access-lists work with the type "name"?

    Posted Apr 16, 2014 06:49 PM

    I have configured an session access-list for OCSP verification and I have defined a netdestination with all names (FQDNs) for the CA's CRL and OCSP url's.  I have configured "ip name-server", and "ip domain lookup".  And all seems to work well.  But could someone please explain to me what is the controller doing in the backend when a session hits this ACL?  

     

    Does the controller do a DNS lookup everytime the OCSP rule is hit? 

    Does the controller then cash the various DNS lookpu results for the ocsp URL's?

    Or is it possible that the controller is doing DNS snooping and determining the correct IP's from the DNS query results from the users during the OCSP checks?

     

    ## Example Confgurations:

     

    !
    netdestination Named_OCSP_List
      name ocsp.ws.symantec.xom
      name ocsp.geotrust.com
      name ocsp.thawte.com
      name oscp.verisign.com
      name crl.verisign.com
      name SVRIntl-G3-crl.verisign.com
    !

    !
    ip access-list session GUEST-LOGON_ACL
      any user svc-icmp  permit log

      user any udp 67  permit log
      user   alias Named_OCSP_List svc-http  permit log
      user any svc-http  dst-nat 8080 log
      user any svc-https  dst-nat 8081 log
      alias DHCP-Server user udp 68  permit log
      user   alias DNS-Server svc-dns  permit log
    !

     



  • 2.  RE: Can someone explain to me how does the session access-lists work with the type "name"?
    Best Answer

    EMPLOYEE
    Posted Apr 16, 2014 06:52 PM

    The controller makes the DNS query and then caches the results. You can show the current cache with: 

     

    #show firewall dns-names

     

    dns.PNG



  • 3.  RE: Can someone explain to me how does the session access-lists work with the type "name"?

    Posted Apr 22, 2014 10:46 AM
      |   view attached

     

    Nice post.

    Another question about it.

     

    Does somebody know how and when that table entries get flushed (those visible with *show firewall dns-names*)?

     

    Pretty strange that new IP addresses get added to a specific domain name and not substituted.

     

    Am I missing something!?

     

    Thanks in advance for you tips.

     

    ricweb74_unipr



  • 4.  RE: Can someone explain to me how does the session access-lists work with the type "name"?

    EMPLOYEE
    Posted Apr 22, 2014 11:52 AM

    ricweb74_unipr,

     

    Those ip addresses are not used for forward lookups.  They are used for reverse lookups.  It is intended to see what ip address is resolved for a fqdn and then block/permit access to those ip addresses.  If I want to block access to facebook.com, I need to know all of the ip addresses that it has resolved to, so I can block traffic to those ip addresses.

     

     



  • 5.  RE: Can someone explain to me how does the session access-lists work with the type "name"?

    Posted Apr 22, 2014 12:21 PM

    Thanks for that! This is exactly what I was looking for in the Aruba OS manuals but couldn't find a clear explanation.