Security

Reply
Occasional Contributor II
Posts: 33
Registered: ‎10-16-2013

ClearPass access via Guest network

Hello,

 

I have configured on my controller initial role (for Guest) where I added 2 more rules for HTTP and HTTP access to ClearPass manager. In this case if user connects, he gets the initial role and he is able to get captive portal from ClearPass manager. BUT if I specify in HTTP an IP of ClearPass manager, then I get a window for ClearPass and I am not redirected to CP window. It might be a security issue for us. What is the recommendation? I am using only management port on ClearPass manager, should I use data port for this problem?

 

Thanks,

Dusan

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: ClearPass access via Guest network

http should be being redirected as well. Can you post your initial role?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 33
Registered: ‎10-16-2013

Re: ClearPass access via Guest network

This is the initial role:

 

(POD20AW1) #show rights CPG-Login

Derived Role = 'CPG-Login'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 50/0
 Max Sessions = 65535

 Captive Portal profile = ClearPass-CaptivePortal

access-list List
----------------
Position  Name           Type     Location
--------  ----           ----     --------
1         CP-webACL      session
2         logon-control  session
3         captiveportal  session

CP-webACL
---------
Priority  Source  Destination     Service    Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------     -------    ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    192.168.100.22  svc-http   permit                           Low                                                           4
2         user    192.168.100.22  svc-https  permit                           Low                                                           4
logon-control
-------------
Priority  Source  Destination              Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------              -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any                      udp 68    deny                             Low                                                           4
2         any     any                      svc-icmp  permit                           Low                                                           4
3         any     any                      svc-dns   permit                           Low                                                           4
4         any     any                      svc-dhcp  permit                           Low                                                           4
5         any     any                      svc-natt  permit                           Low                                                           4
6         any     169.254.0.0 255.255.0.0  any       deny                             Low                                                           4
7         any     240.0.0.0 240.0.0.0      any       deny                             Low                                                           4
captiveportal
-------------
Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    controller   svc-https        dst-nat 8081                           Low                                                           4
2         user    any          svc-http         dst-nat 8080                           Low                                                           4
3         user    any          svc-https        dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                           4

Expired Policies (due to time constraints) = 0

 

Dusan

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: ClearPass access via Guest network

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Limit-guests-from-accessing-tips/td-p/93478
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 33
Registered: ‎10-16-2013

Re: ClearPass access via Guest network

Thanks

Search Airheads
Showing results for 
Search instead for 
Did you mean: