Wireless Access

Reply
Contributor I
Posts: 23
Registered: ‎01-25-2011

Can someone explain to me how does the session access-lists work with the type "name"?

I have configured an session access-list for OCSP verification and I have defined a netdestination with all names (FQDNs) for the CA's CRL and OCSP url's.  I have configured "ip name-server", and "ip domain lookup".  And all seems to work well.  But could someone please explain to me what is the controller doing in the backend when a session hits this ACL?  

 

Does the controller do a DNS lookup everytime the OCSP rule is hit? 

Does the controller then cash the various DNS lookpu results for the ocsp URL's?

Or is it possible that the controller is doing DNS snooping and determining the correct IP's from the DNS query results from the users during the OCSP checks?

 

## Example Confgurations:

 

!
netdestination Named_OCSP_List
  name ocsp.ws.symantec.xom
  name ocsp.geotrust.com
  name ocsp.thawte.com
  name oscp.verisign.com
  name crl.verisign.com
  name SVRIntl-G3-crl.verisign.com
!

!
ip access-list session GUEST-LOGON_ACL
  any user svc-icmp  permit log

  user any udp 67  permit log
  user   alias Named_OCSP_List svc-http  permit log
  user any svc-http  dst-nat 8080 log
  user any svc-https  dst-nat 8081 log
  alias DHCP-Server user udp 68  permit log
  user   alias DNS-Server svc-dns  permit log
!

 

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Can someone explain to me how does the session access-lists work with the type "name"?

[ Edited ]

The controller makes the DNS query and then caches the results. You can show the current cache with: 

 

#show firewall dns-names

 

dns.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 2
Registered: ‎04-22-2014

Re: Can someone explain to me how does the session access-lists work with the type "name"?

[ Edited ]

 

Nice post.

Another question about it.

 

Does somebody know how and when that table entries get flushed (those visible with *show firewall dns-names*)?

 

Pretty strange that new IP addresses get added to a specific domain name and not substituted.

 

Am I missing something!?

 

Thanks in advance for you tips.

 

ricweb74_unipr

Guru Elite
Posts: 21,001
Registered: ‎03-29-2007

Re: Can someone explain to me how does the session access-lists work with the type "name"?

ricweb74_unipr,

 

Those ip addresses are not used for forward lookups.  They are used for reverse lookups.  It is intended to see what ip address is resolved for a fqdn and then block/permit access to those ip addresses.  If I want to block access to facebook.com, I need to know all of the ip addresses that it has resolved to, so I can block traffic to those ip addresses.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 23
Registered: ‎01-25-2011

Re: Can someone explain to me how does the session access-lists work with the type "name"?

Thanks for that! This is exactly what I was looking for in the Aruba OS manuals but couldn't find a clear explanation.

Search Airheads
Showing results for 
Search instead for 
Did you mean: