Configure Mobility Express for Umbrella

There are two scenarios in which Mobility Express can be configured for Cisco Umbrella:

• A Cisco Umbrella profile can be incorporated in a user-role-based local policy.
• A Cisco Umbrella profile can be applied to a WLAN and AP Group.

In the first scenario, the goal is to restrict access to particular sites based on user role types. For example, regular employees might be permitted full internet access barring sites such as adult, gambling, nudity. At the same time, contractor access might be more rigid, barring access to social websites, sports, and news, as well as categories barred for employees.

Table of Contents

• Prerequisites
• Configure a Role-Based Local Policy
• Configure an Umbrella Policy
• Apply a Cisco Umbrella Profile to a WLAN and AP Group

Prerequisites

• A Cisco Wireless LAN Controller running AireOS 8.8MR1 or later (to upgrade to AireOS 8.8MR1, AireOS 8.0 or higher release must be installed).
• The public facing external interface of the WLC must be able to access api.opendns.com over port 443 in order to complete initial registration.
• TCP and UDP on port 53 (DNS) must point to 208.67.220.220 and 208.67.222.222 (Cisco Umbrella public DNS resolvers).
• If there are any devices in front of the ISR that may block DNSCrypt because packets may not look like actual DNS packets, the DNSCrypt feature may not work. For more information and an example of the problem, see Cisco ASA Firewall blocks DNSCrypt.
• Full Admin access to the Umbrella dashboard.

Configure a Role-Based Local Policy

To configure a local policy, the procedure is to generate an API token in Umbrella that is applied in Mobility Express, enable Umbrella globally, and create Umbrella profiles for employees and contractors.

1. Navigate to Admin > API Keys​.

2. Expand Legacy Network Devices and click Generate Token.
3. Copy your token. The API token is a long alphanumeric set of characters.

4. In Mobility Express, switch to Expert View.

5. Navigate to Services > Umbrella. Enable Umbrella Global Status.
6. Paste in the Umbrella API token you copied and click Apply.

7. Click Add Profile. In the Add Profile window, enter a Profile Name and click Apply.

8. Verify that the State changes from Registration in Progress to Profile Registered.
   This may take a few seconds, and may require you to refresh your browser window.

9. In the Umbrella dashboard, navigate to Deployments > Core Identities > Network Devices. Verify that your WLC with both the Employee and Guest identities appear under Device Name.

Configure an Umbrella Policy

You can add a new policy or modify the Default policy to suit your needs. Policy creation procedures depend on your Umbrella package. For more information about policies, see documentation specific to your version of Umbrella:

• DNS User Guide
• SIG User Guide

Note: Not all Umbrella features are available to all Umbrella packages. If you encounter a feature described here that you do not have access to, contact your sales representative for more information about your current package. For more information, see Cisco Umbrella Packages.

When configuring policies:

• For Umbrella SIG, add a ruleset to the Web policy.
• When selecting identities, select Network Devices.

Apply a Cisco Umbrella Profile to a WLAN and AP Group

1. In Mobility Express, switch to Expert View.
2. Navigate to Wireless Setting > WLANs.
3. In the Add/Edit WLAN/RLAN= window, click the Advanced tab.

4. Select the Umbrella Profile created for this WLAN.
5. Set Umbrella Mode to Ignore or Forced.
   When a client obtains DNS IPs, users can manually change them on the client device, thus bypassing Umbrella policy enforcement. To prevent this security compromise, configure Umbrella Mode to Forced. This ensures that Umbrella policy enforcement cannot be overridden on the client device.
6. Optionally, enable Umbrella DHCP Override.
   The DNS IP addresses that a client obtains when connecting to the SSID are configured on the DHCP server. For Umbrella enforcement to work, clients must send out DNS requests to Umbrella IP addresses (208.67.222.222, 208.67.220.220). Umbrella DHCP Override ignores the DNS IPs configured via DHCP and forces the Umbrella DNS IPs on the client device. If you set Umbrella Mode to Forced, above, you do not need to enable Umbrella DHCP Override.

7. Click Apply and Save your configuration.

Mobility Express Integration < Configure Mobility Express for Umbrella > Cisco SD-WAN Powered by Catalyst SD-WAN and Umbrella