Which authorization method is the Cisco best practice to allow endpoints access to the Apple App store or Google Play store with Cisco WLC software version 7.6 or newer?
A. dACL
B. DNS ACL
C. DNS ACL defined in Cisco ISE
D. redirect ACL
Which authorization method is the Cisco best practice to allow endpoints access to the Apple App store or Google Play store with Cisco WLC software version 7.6 or newer?
Cisco ISE provides the ability to redirect users through an MDM workflow to assist in the on-boarding of mobile devices. Using integration of MDMs like MobileIron or AirWatch, you can allow registered and compliant devices onto your network, while automatically facilitating MDM enrollment for other devices. While the authorization policy for these workflows is relatively straightforward, the specification of traffic flows for redirection to the MDM portal can be somewhat challenging.
This challenge is primarily due to the need to access the Apple App Store or the Google Play Store to download a required MDM applications during on-boarding. While we may be okay with allowing people out to the internet, we still need to make sure we are capturing and redirecting web requests to the MDM enrollment portal. This is ultimately very similar to central web authentication redirect, but with more access requirements. If users can’t download the needed app(s) during the on-boarding process, they will likely not be able to get fully on-boarding.
As this pretty much always takes place on wireless, the redirect ACL is limited to the feature sets of the Cisco Wireless LAN Controller platform. If we were stuck with IP-based filtering, it would be a full time job to hunt down all possible IP addresses. To make matters more difficult, we can’t just restrict internet usage to certain ports because the app stores rely on TCP 80 and 443, as well as other ports, for access to their servers. Enter DNS-based Access Control Lists on the Cisco WLC.
DNS-based ACLs allow us to specify URLs in our standard access control lists as additional permit statements (aka whitelisted URLs) in addition to standard IP-based filtering. Admittedly, the feature took a bit to figure out. Initially, I was testing by applying an ACL to the WLAN using the Advanced tab settings and testing access which proved to be pretty much useless. Success finally became an option when applying it specifically as a redirect ACL via ISE authorization permissions. At that point, anything that was specified as a permit on the IP-based filter or a URL on the list would bypass the redirection.