Got it, newer versions of IOS-XE 17.X on Cisco Switches do support DNS ACL entries. The switch performs a DNS lookup at a set intervals and updates the IP based on DNS result in the ACL dynamically. It does have limitations though around the number of results it will install. I’m not aware of Aruba switches having such a feature.
I would consider using a firewall upstream for this use-case
Original Message:
Sent: 2/21/2024 7:02:00 AM
From: MatthiasP
Subject: RE: NAS-Filter-Rule permit to FQDN instead of IP
You're absolute right, it would have been a good idea to consider the use case :-)
We have several Aruba 2540 and Aruba 2530 switches. These switches are integrated to our ClearPass environment.
I´ve implemented a wired MAC based service, wich works fine. If a client is connected to the switch and doesn't use 802.1x a guest logon enforcement profile is assigned.
This profile redirects to the captive portal and allows tcp 80&443 to the captive portal. All other http+s traffic is denied:
1. Radius:IETF Session-Timeout = 10800
2. Radius:IETF Termination-Action = RADIUS-Request (1)
3. Radius:IETF Tunnel-Type = VLAN (13)
4. Radius:IETF Tunnel-Medium-Type = IEEE-802 (6)
5. Radius:IETF Tunnel-Private-Group-Id = 65
6. Radius:Hewlett-Packard-Enterprise HPE-Captive-Portal-URL = https://fqdn/guest/oc_wired.php
7. Radius:IETF NAS-Filter-Rule = permit in udp from any to any 53 CNT
8. Radius:IETF NAS-Filter-Rule = permit in udp from any to any 67 CNT
9. Radius:IETF NAS-Filter-Rule = permit in tcp from any to 10.x.x.x 80 CNT
10. Radius:IETF NAS-Filter-Rule = permit in tcp from any to 10.x.x.x 443 CNT
11. Radius:IETF NAS-Filter-Rule = deny in tcp from any to any 80 cpy CNT
12. Radius:IETF NAS-Filter-Rule = deny in tcp from any to any 443 cpy CNT
The same profile is applied if I connect and client and try to install the client via Microsoft Autopilot. For this I would like to permit tcp in TCP from any to *.manage.microsoft.com
Original Message:
Sent: Feb 20, 2024 12:09 PM
From: ahollifield
Subject: NAS-Filter-Rule permit to FQDN instead of IP
Depends, what is the NAD? This is an ACL to a switch? What exactly is the use-case?
Original Message:
Sent: Feb 20, 2024 09:38 AM
From: MatthiasP
Subject: NAS-Filter-Rule permit to FQDN instead of IP
Hi everbody,
is it possible to implement a NAS-Filter-Rule using a FQDN instead of a an IP?
Example:
permit in tcp from any to 10.1.1.10 443 CNT > works fine but is it possible to use something like:
permit in tcp from any to *.manage.microsoft.com 443 CNT
Kind regards
Matthias