hi, sorry for a long question :
We have setup a externally hosted captive portal with Radius authentication using campus WLAN wizard.
We have 512AP pfeng firewall installed, and a few domains are whitelisted as a pefng firewall Destination with that destination whitelisted under L3 authorization tab for the captive portal profile.
The whitelisted domains consists of facebook.com, twitter.com, twimg.com, fbcdn.net .. etc common social media sites.
Our WiFi clients are being served splash page, but can only go to facebook.com to complete the authentication if we add "src-https" (which just allows all port 443 to go through) to the AAA pre authentication user role. This unfortunately enables all HTTPS access. If we do not add "src-https" to the pre authentication user role's access control list, the client cannot be forwarded to facebook.com, twitter.com (page load dropped or timedout) even though it is allowed as a whitelisted destionation under L3 authentication.
We have also tried to create an inverted firewall destination rule, which will reject https traffic to all domains other than facebook.com, fbcdn.net, akamaihd.net .. e.g the domains necessary for facebook login . This also does not work. Without completing the authentication , the client can still access https resources such as https://youtube.com/ as long as the svc-https rule is there (which is needed for them to go onto facebook.com to complete sign in)
We have tried putting the access rule before, after, svc-https, does not change a thing, domain whitelisting is not working.
The situation is as if pefng Destination domains are being ignored , even though we have definitely specified it under AAA pre auth role.
If we allow all https communication to go through, the clients can authenticate properly with facebook, with the correct RADIUS authentication following after that, and everything works. The only isssue we have is we have to allow all HTTPS communication in order for th e client to go to external social media sites. pefng based domain whitelisting is being ignored.
we have setup very similar setup before also using the campus WLAN wizard, and we did not have any problem back then. This current setup is behind a switch and all clients are being assigned to vlan id 500. Not sure if that changes anything, but as long as we enable all https communication, everything works.
Is there some other settings we are missing in order to make the controller apply domain based Destionation whitelist. We see the first access role created by the controller already whitelists http/https traffic to the whitelisted domain that we have under stateful firewall -> Destination.
It seems, access role is only applying ip,port based whitelisting rather than domain based whitelisting.
Did you configure a DNS server on the controller and configure ip domain-lookup?
thanks. Initially our DNS wasn't resolving. We have added dns-acl to the pre authentication role and that seems to have resolved that issue. We also had to add dhcp-acl, icmp acl to the pre-auth role.
The controller itself needs to resolve the urls that users are looking up, so you need to do this:
ip name-server 18.104.22.168
The USERS will use whatever DNS server they obtain via DHCP, but that is separate from what you need to do above to allow and block domains.
If things are solved, okay, good.
thanks, we will try this today.
Can you please tell us the correct command on the controller to test domain resolution,
lets say I want to see how the controller itself resolves fbcdn.net , what do I have to type into the console ?
thanks a lot .
We have now set the DNS on the controller to be the same as what the user's phone will get from DHCP.
Now in the ACL, the controller is allowing some domains but is not allowing others. For example, if we whitelist both facebook.com and twitter.com in the ACL; it will only partially allow facebook.com (i.e., some images don't load).
Question: how does the Aruba Controller handle domain based ACLs. How does this work when its a sub-domain of an allowed domain (e.g., mobile.twitter.com). In this case, if twitter.com was in the ACL,how does the controller allow mobile.twitter.com (does it maintain a cache of all lookups as some of these sites have multiple load-balancing IPs).
It seems the Aruba Controller needs to be the DNS proxy for the domain based filters to work. Please confirm.
Essentially, the user device must use the controller as the DNS server and the controller will then proxy the requests upstream. Let us know if this is required of the user devices can use a different DNS server? If not, can the user device use a different DNS IP but the requests be NAT-ed to the controller?
hello, can you tell us why we are getting this error :
(192.168.0.202) (config) #ip name-server 22.214.171.124Failed to update domain(192.168.0.202) (config) #ip name-server 192.168.0.101Failed to update domain
That message is cosmetic, but wrong. You typically get that message if you already have those name servers configured.
Type "show configuration | include name-server" to see if that is the case.
thanks, it indeed shows now I have 2 DNS servers setup in the controller.
Can you tell me how to remove the DNS entries from the controller?
no ip name-server 126.96.36.199
Can you tell me what I am doing wrong. Why is the controller not answering DNS queries :
(config) #show configuration | include name-serverip name-server 188.8.131.52(config) #show configuration | include lookup ip domain lookup
>>> on the client laptop over wifi :
>> nslookup google.com 192.168.0.201Server: 192.168.0.201Address: 192.168.0.201#53** server can't find google.com: REFUSED
I have checked the firewall rule, it is enabling IP number 17 on port 53 , which is UDP for DNS?
When you put that config into the controller it gives a warning that a reboot may be required.
Have you rebooted the controller? I have always been sceptical of the need for a reboot, but have seen a few cases recently where the DNS lookups on the controller started working after a reboot.
hi Mike, thanks. Yes we have rebooted the controller.
But after the reboot, it does not want to answer DNS queries.
We don't have any kind of firewall rule between the wifi client and the controller, it is a direct
connection via wifi.
Did you type "ping www.yahoo.com" on the commandline of the controller? What is the result ?
Type "show firewall dns-names" to see if any fqdns in an ACL has been resolved by the controller.
(Aruba7640-US) #show firewall dns-names
FW DNS names
Name Id InUse List
---- -- ----- ----
accounts.google.com 1 1 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206
facebook.com 5 1 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206
graph.facebook.com 3 1 220.127.116.11 18.104.22.168 22.214.171.124
ssl.gstatic.com 2 1 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11
18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124
fbstatic-a.akamaihd.net 4 1 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199
(config) #show firewall dns-names
FW DNS names
Name Id InUse List
---- -- ----- ----
mailgun.net 14 1
twimg.com 11 1 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168
mbna.ca 17 1
bootstrapcdn.com 13 1 22.214.171.124
connect.facebook.net 5 1
facebook.com 3 1 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124
twitter.com 10 1 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168
and ping www.yahoo.com is very strange, I was able to run ping with a domain name before, but
now it tells me there's an error in the ping command's syntax.
<target-ip-address> Send ICMP echo packets to the specified ip address.
ipv6 Ping an IPv6 address.
Incorrect input! Use 'ping <target-ip-address>'
Did you do:
yes, as you can see :
(config) #show configuration | include lookup ip domain lookup
Did you reboot after you changed the option? It will work "sometimes" if you do not reboot.
yes, we have rebooted it , we also made sure we write memory
Try doing :
no ip domain-lookup
If that does not work, please open a tac case, because we would need to understand the state of your device to understand what could possibly be happening.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.