Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass internal DNS name + wireless client have external DNS

This thread has been viewed 7 times

  • 1.  ClearPass internal DNS name + wireless client have external DNS

    Posted Jul 06, 2015 06:09 PM


    It possible to put a internal DNS name to ClearPass, and the wireless clients have  a external DNS but can resolve this name?

    https://clearpass.domain.es/login.php --> https://192.168.1.1/login.php

    clearpass.domain.es -> 192.168.1.1

    client dns ip -> 8.8.8.8

     

    How this is configured in the controller?



  • 2.  RE: ClearPass internal DNS name + wireless client have external DNS
    Best Answer

    EMPLOYEE
    Posted Jul 06, 2015 06:11 PM

    You generally have two options in this case:

     

    1) Give your ClearPass servers public DNS entries pointing to the private addresses

    2) Use the upstream router's DNS proxy feature to intercept DNS queries for certain names



  • 3.  RE: ClearPass internal DNS name + wireless client have external DNS

    Posted Jul 07, 2015 05:30 AM

    It is possible to configure the DNS proxy in Aruba Controller?

    How it be configured ? 



  • 4.  RE: ClearPass internal DNS name + wireless client have external DNS

    EMPLOYEE
    Posted Jul 07, 2015 06:05 AM

    smateos,

     

    You cannot configure DNS proxy in the controller, no.

     



  • 5.  RE: ClearPass internal DNS name + wireless client have external DNS

    EMPLOYEE
    Posted Jul 07, 2015 08:35 AM

    Like I said, you need to do it upstream.



  • 6.  RE: ClearPass internal DNS name + wireless client have external DNS

    Posted Jul 15, 2015 02:43 PM
    @cjoseph wrote:

    smateos,

     

    You cannot configure DNS proxy in the controller, no.

     

    a little thread hijack i apologize.

     

    has this ever been considered cjoseph? the controller already does it for the captive portal certificate CN. so why not allow use to do a few extra interceptions? would help a lot in this scenario.



  • 7.  RE: ClearPass internal DNS name + wireless client have external DNS

    EMPLOYEE
    Posted Jul 15, 2015 03:51 PM
    There are RFEs for it on the idea portal.


    Thanks,
    Tim


  • 8.  RE: ClearPass internal DNS name + wireless client have external DNS

    Posted Jul 15, 2015 03:58 PM

    ah, thanks, time to vote on those.



  • 9.  RE: ClearPass internal DNS name + wireless client have external DNS

    Posted Jan 18, 2017 11:32 AM

    Is there another way to do this we have been using our PA firewall for DNS proxy but it seems to cause slowness with DNS request. We are setup with mac auth following cppm self sponsered registration after my test pc is just using MAC auth if I hard code the DNS to 8.8.8.8 it's much faster but if I leave it on the proxy IP it's much slower. Palo Alto doesn't seem to be able to figure out the problem with slowness. Right now our PA has Static entry's for our CPPM and master controller IP so one can register and get re-directed back to the controller. I was thinking I could leave the vlan and PA DNS proxy with it's static entry's in place then once someone authentcates flip them to a new VLAN which will give them 8.8.8.8 for internet is that possible?



  • 10.  RE: ClearPass internal DNS name + wireless client have external DNS

    EMPLOYEE
    Posted Jan 18, 2017 11:36 AM

    If your DNS provider allows it, you can add your ClearPass server IP to public DNS.

     

    Changing VLANs might work, but you'd have to use a server-initiated workflow with CoA.



  • 11.  RE: ClearPass internal DNS name + wireless client have external DNS

    Posted Jan 18, 2017 02:49 PM

    How does the user get to the internet DNS server before they authenticate do you allow that IP for the external DNS server though the controllers firewall roll for un-authenticated users seems easy to do.