- ACL Support for Filtering IP Options
- ACL Syslog Correlation
- Commented IP Access List Entries
- Configuring an FQDN ACL
- Creating an IP Access List to Filter TCP Flags
- IPv6 ACL Extensions for Hop by Hop Filtering
- IP Access List Entry Sequence Numbering
- IP Named Access Control Lists
- IPv6 PACL Support
- Named ACL Support for Noncontiguous Ports on an Access Control Entry
Configuring an FQDN ACL
This document describes how to configure an access control lists (ACL) using a fully qualified domain name (FQDN). The Configuring an FQDN ACL feature allows you to configure and apply an ACL to a wireless session based on the domain name system (DNS). The domain names are resolved to IP addresses, the IP addresses are given to the client as part of the DNS response, and the FQDN is then mapped to an ACL based on the IP address.
- Finding Feature Information
- Restrictions for Configuring FQDN ACL
- Information About Configuring an FQDN ACL
- How to Configure FQDN ACL
- Monitoring an FQDN ACL
- Configuration Examples for an FQDN ACL
- Additional References for Configuring FQDN ACL
- Feature Information for Configuring FQDN ACL
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Configuring FQDN ACL
The Configuring FQDN ACL feature is supported only on IPv4 wireless sessions.
Information About Configuring an FQDN ACL
Configuring an FQDN ACL
When access control lists (ACLs) are configured using a fully qualified domain name (FQDN), ACLs can be applied based on the destination domain name. The destination domain name is then resolved to an IP address, which is provided to the client as a part of the DNS response.
Guest users can log in using web authentication with a parameter map that consists of an FQDN ACL name.
You can apply an access list to a specific domain by configuring the RADIUS server to send the fqdn-acl-name AAA attribute to the controller. The operating system checks for the passthrough domain list and its mapping, and permits the FQDN. The FQDN ACL allows clients to access only configured domains without authentication.
Note | By default, an IP access list name is configured with the same name as the pass-through domain name. To override the default name, you can use the access-session passthrou-access-group access-group-name passthrou-domain-list domain-list-name command in global configuration mode. |
How to Configure FQDN ACL
Configuring an IP Access List
1.
configure terminal
2.
ip access-list extended
name
3.
permit ip any any
4.
end
DETAILED STEPS
Configuring a Domain Name List
You can configure a domain name list that contains a list of domain names that are allowed for DNS snooping by the access point. The DNS domain list name string must be identical to the extended access list name.
1.
configure terminal
2.
passthrou-domain-list
name
3.
match
word
4.
end
DETAILED STEPS
Mapping the FQDN ACL with a Domain Name
1.
configure terminal
2.
access-session
passthrou-access-group
access-group-name
passthrou-domain-list
domain-list-name
3.
parameter-map type
webauth
domain-list-name and
login-auth-bypass
fqdn-acl-name
acl-name domain-name
domain-name
DETAILED STEPS
Monitoring an FQDN ACL
The following commands can be used to monitor FQDN ACLs.
Command |
Purpose |
show access-session interface interface-name details |
Displays the FQDN ACL information configured on the interface. |
show access-session fqdn fqdn-maps |
Displays the FQDN ACL mapped to the domain name list. |
show access-session fqdn list-domain domain-name |
Displays the domain names. |
show access-session fqdn passthru-domain-list |
Displays the domains that are configured. |
Configuration Examples for an FQDN ACL
Examples: FQDN ACL Configuration
# config terminal (config)# ip access-list extended abc (config-ext-nacl)# permit ip any any (config-ext-nacl)# end # show ip access-list abc
# config terminal (config)# passthrou-domain-list abc (config-fqdn-acl-domains)# match play.google.com (config-fqdn-acl-domains)# end # show access-session fqdn fqdn-maps
# config terminal (config)# access-session passthrou-access-group abc passthrou-domain-list abc (config)# end # show access-session interface vlan 20
# config terminal (config)# parameter-map type webauth abc (config-params-parameter-map)# login-auth-bypass fqdn-acl-name abc domain-name abc (config-params-parameter-map)# end # show access-session fqdn fqdn-maps
Additional References for Configuring FQDN ACL
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
ACL configuration guide |
Security Configuration Guide: Access Control Lists |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Configuring FQDN ACL
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.