Security

Reply
Occasional Contributor II
Posts: 18
Registered: ‎05-23-2016

ClearPass with public IP on MNGMT Port

[ Edited ]

Hello community,

 

I have an already working set up of Aurba controller 3600 using Guest module of Clearpass.

 

This have been working the last few years without any issues but we would like now to publich a public IP for clearpass in order for it to have a trusted certificate an avoid warnings while users try to connect.

 

I have checked the system tab under server configuration but I only see one space for IP server. The new public IP will be used for data and mngmt.

 

Is it possible to change this without interrumpt the service?

 

How should I proceed to minimize effect on this change?

 

Thank you in advance!

 

 

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass with public IP on MNGMT Port

You do not need a public IP to have a public CA-signed certificate.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 18
Registered: ‎05-23-2016

Re: Clearpass with public IP on MNGMT Port

Hi cappali,

 

I've been checking lately for a SSL certification and something in common they told me it can only be used on domain, for which I require a public IP.

 

Could you please advice how can I proceed then? I need to avoid thos warnings when captive portals pops up.

 

Thanks

Aruba Employee
Posts: 508
Registered: ‎02-19-2015

Re: Clearpass with public IP on MNGMT Port

Hi Rodrigo,

 

You need to first create a CSR file and get it singed with external Certificate Authority and install that certificate on clearpass to prevent  users getting certificate warning messages while accessing the portal page.

Capture.PNG

 

Regards,

Pavan

Guest Blogger
Posts: 24
Registered: ‎02-20-2015

Re: Clearpass with public IP on MNGMT Port

[ Edited ]

You need to have a public SSL certificate. I always use openssl to generate the CSR (certificate signing request), which you need to get signed by a public CA (certificate authority). You can use my blog post to generate the certificate via openssl. I always use openssl and not generate the CSR directly on ClearPass or another server. The advantage of openssl is, that you always have a full backup, including the private key, of the certificate and you can easily change the format of the certificate from PEM to PFX to DER to whatever.

 

I would suggest you configure an IP address on the management interface for all internal communication and next you configure an IP address on the data interface, which you place in a DMZ network. On your firewall you can configure a NAT mapping to translate a public IP address to the private DMZ IP address of the ClearPass data interface. You can use the firewall to restrict access to the data interface, so only HTTPS is allowed to the specific IP address.

@rene_booches | ACMX #438 / ACCP / CCNP Routing & Switching / CEH
Co-owner/Solution Specialist@4IP / blog owner@booches.nl
Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass with public IP on MNGMT Port

You do not need a public IP. Unless you have specific security requirements, just use the management port for all traffic.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 129
Registered: ‎07-13-2015

Re: Clearpass with public IP on MNGMT Port

The SSL companies will want to validate your domain (using WHOIS is the fastest method). They will send an e-mail to the e-mail address related to the WHOIS info of the domain. 

Say your public domain is labme.com and your CPPM server is offline but still has DNS entry (common name) cppm.labme.com, you can issue it a public cert without problems

ACMP, ACCP, BCNE
MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: ClearPass with public IP on MNGMT Port

Can you expand the reason you are trying to use a public ip ?


Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 18
Registered: ‎05-23-2016

Re: ClearPass with public IP on MNGMT Port

Thank you for the reply to everyone and sorry for the delay. I have been busy with other projects.

 

Actually, I don't want a public IP, it requieres to change my setup and I prefer to change the less possible on the setup. What I want is to have an SSL certificate on my CPPM to certify the server.

 

My clients connect from remote locations to RAP's, the raps locate the clients in the VLAN where my CPPM without public access is, but we always have the warning of trusted server.

 

I you can give me the steps to have an SSL certificate, from the CSR generation up to the installation and any other required setup I would appreciate it.

 

 

Thanks

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: ClearPass with public IP on MNGMT Port

Can you please explain the warning a bit more (or provide a screenshot)?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: