The OpenDNS Hardware Integrations Developer Hub

Welcome to the OpenDNS Hardware Integrations developer hub. You'll find comprehensive guides and documentation to help you start working with OpenDNS Hardware Integrations as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Configure Mobility Express for Umbrella

Prerequisites

  • A Cisco Wireless LAN Controller running AireOS 8.8MR1 or later (to upgrade to AireOS 8.8MR1, AireOS 8.0 or higher release must be installed).
  • The public facing external interface of the WLC must be able to access api.opendns.com over port 443 in order to complete initial registration.
  • TCP & UDP on port 53 (DNS) must point to 208.67.220.220 and 208.67.222.222 (the Cisco Umbrella public DNS resolvers).
  • If there are any devices in front of the ISR that may block DNSCrypt because packets may not look like actual DNS packets, the DNSCrypt feature may not work. For more information and an example of the problem, see Cisco Firewall Blocks DNSCrypt.
  • An admin account for the Cisco Umbrella dashboard.

Overview

There are two scenarios in which Mobility Express can be configured for Cisco Umbrella:

  • A Cisco Umbrella profile can be incorporated in a user-role-based local policy.
  • A Cisco Umbrella profile can be applied to a WLAN and AP Group.

In the first scenario, the goal is to restrict access to particular sites based on user role types. For example, regular employees might be permitted full internet access barring sites such as adult, gambling, nudity. At the same time, contractor access might be more rigid, barring access to social websites, sports, and news, as well as categories barred for employees.

Configure a Role-based Local Policy

To configure a local policy, the procedure is to generate an API token in Umbrella that is applied in Mobility Express, enable Umbrella globally, and create Umbrella profiles for employees and contractors.

  1. In the Umbrella dashboard, navigate to Admin > API Keys​ and click Create.
  1. Select Legacy Network Devices and click Create.
  1. Expand Legacy Network Devices, and then copy the API token—Your Key—so that you can complete the next steps.
    The API token is a long alphanumeric set of characters.
  1. In Mobility Express, switch to Expert View.
  1. Navigate to Services > Umbrella. Enable Umbrella Global Status.
  2. Paste in the Umbrella API token you copied and click Apply.
  1. Click Add Profile. In the Add Profile window, enter a Profile Name and click Apply.
  1. Verify that the State changes from Registration in Progress to Profile Registered.
    This may take a few seconds, and may require you to refresh your browser window.
  1. In the Umbrella dashboard, navigate to Deployments > Core Identities > Network Devices. Verify that your WLC with both the Employee and Guest identities appear under Device Name.

Configure an Umbrella Policy

You can add a new policy or modify the Default policy to suit your needs. Policy creation procedures depend on your Umbrella package. For more information about policies, see documentation specific to your version of Umbrella:

Note: Not all Umbrella features are available to all Umbrella packages. If you encounter a feature described here that you do not have access to, contact your sales representative for more information about your current package. See also, Cisco Umbrella Packages.

When configuring policies:

  • For Umbrella SIG, add a DNS policy.
  • When selecting identities, select Network Devices.

Apply a Cisco Umbrella Profile to a WLAN and AP Group

  1. In Mobility Express, switch to Expert View.
  2. Navigate to Wireless Setting > WLANs.
  3. In the Add/Edit WLAN/RLAN= window, click the Advanced tab.
  1. Select the Umbrella Profile created for this WLAN.
  2. Set Umbrella Mode to Ignore or Forced.
    When a client obtains DNS IPs, users can manually change them on the client device, thus bypassing Umbrella policy enforcement. To prevent this security compromise, configure Umbrella Mode to Forced. This ensures that Umbrella policy enforcement cannot be overridden on the client device.
  3. Optionally, enable Umbrella DHCP Override.
    The DNS IP addresses that a client obtains when connecting to the SSID are configured on the DHCP server. For Umbrella enforcement to work, clients must send out DNS requests to Umbrella IP addresses (208.67.222.222, 208.67.220.220). Umbrella DHCP Override ignores the DNS IPs configured via DHCP and forces the Umbrella DNS IPs on the client device. If you set Umbrella Mode to Forced, above, you do not need to enable Umbrella DHCP Override.
  1. Click Apply and Save your configuration.

Mobility Express Integration < Configure Mobility Express for Umbrella > Cisco SD-WAN Powered by Viptela and Umbrella

Updated about a year ago

Configure Mobility Express for Umbrella


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.