Security

I've been searching around the forums and there is a lot of good information but I haven't found a solution for this.

I'm not sure of the proper way to setup my guest wireless access. It seems that I either have to choose to allow them access to the internal dns or allow access to clearpass from a public IP address. This is what is happening.

The controller and clearpass both sit on the inside network and the clearpass server has a hostname of arubaclearpass.domain.com. I have a guest VLAN setup that only gives access to the internet and uses google's dns servers of 8.8.8.8 and 8.8.4.4. I have the controller using clearpass captiveportal  located at arubaclearpass.domain.com.

What happens is that when a guest user connects the controller tries to send it to arubaclearpass.domain.com and that is not found by the public DNS. I can add that domain name to the public DNS  but then doesn't that open up my clearpass server to anybody on the internet? If I have the controller route to the IP address of the clearpass server it works fine but they get a certificate error message as it's not going to the FQDN.

Alternativly I can give my guest users access to my internal DNS server and they can get to clearpass but I really don't want to allow any access to internal DNS.

Is there anyway to have guest access without either allowing internal DNS or public access to the clearpass server?

Thank you!

Just adding a public DNS entry for a server doesn't necessarily give everyone access to it.

Are you doing any NAT or does ClearPass have a public IP? Is there a firewall involved?

For example, you can have a DNS entry of clearpass.arubanetworks.com that points to a private address of 10.100.20.1. You can resolve that address from outside, but that address is not routable on the public internet and thus can't be accessed from outside your border router.

I'm trying to do NAT so that the public IP will be directed to the clearpass internal server but I could give clearpass a public IP if that would make it easier/better. There is a Cisco 6500 firewall involved that I do not know alot about yet. I'm pretty new to all of this so I apologize but if my public DNS i pointing to IP address of say 204.0.0.0 how do I get it to the internal server of 172.16.0.2. Do I need to have the public DNS record pointing to 172.16.0.2 or do I use NAT or internal DNS records to accomplish this.

Thank yo so much for responding, I really appreciate your assistance with this.

The simplest and quickest fix (but not necessarily networking best practice) would be to create a DNS entry for arubaclearpass.domain.com for the internal (private) IP.

Are you using an SSL cert for your captive portal? If not, you can disable SSL for the captive portal and then simply use the IP address in the CP URL and avoid a DNS entry all together. Many times, SSL isn't necessarily needed if you aren't capturing sensitive information and are issuing short-term, temporary password.

Also, keep in mind that ClearPass needs some way to talk to the outside world for fingerprint, posture and software updates. You can do this with either a proxy or NAT translation.

We are using SSL cert that points to arubaclearpass.domain.com so I would like to use the hostname if possible. Do ISPs add local domain names to their DNS that resolve to private addresses? When I asked to have arubaclearpass.domain.com point directly to the 172.16.0.2 address I was told that it was not valid and that it could only point to a public IP address. This was from a co-worker though and not the ISP company.

I can add arubaclearpass.domain.com to my local DNS servers but then that gets be back to the issue of  wanting to only use public DNS for guests.

Sorry again, I'm trying to understand this all. Thank you so much!

It is not best practice to have private addresses in public DNS. If you are using another company to host your public domain name, they have every right to say no.

I'm going to let some other people chime in. Hopefully someone has a similar setup!

We recently came up with the idea of assigning a public IP address to the DNS record and then setting a NAT policy that translates the external IP to the internal IP for guests.  The firewall would allow the traffic from the guest zone to the inside where CP resides, but access to CP from the outside to CP would not be allowed.

A different way to handle this is if your DNS servers are capable of DNS views.  Essentially, you setup your DNS servers to respond with different IPs depending on if the DNS request comes from the inside or outside.

Have you tried to dst-nat the request?   When using a name entry within a netdestination you can dst-nat requests to a name on to another IP .   For example:

First create an alias for your Clearpass hostname and add a "name" entry:

netdestination arubaclearpass.domain.com

name arubaclearpass.domain.com

Then within the policy setup a dst-nat rule for https requests to arubaclearpass.domain.com

user alias arubaclearpass.domain.com svc-https dst-nat x.x.x.x 443 (where x.x.x.x is the internal IP)

You'll also have to add an entry to allow https to the internal IP of Clearpass if you have not already (to avoid a redirect loop of the captive portal redirect).

user host x.x.x.x svc-https permit   (or use an alias)

Thank you for the suggestions! That is exactly the kind of ideas I was looking for but wasn't sure how to implement. 

I'm going to give these a try tomorrow.

I sincerely appreciate everyone's input and help with this! 

Hi Clembo,

I tried to do it but this doesn't work, my guest client can't browse the guest page because he haven't the answer for the FQDN of my clearpass.

I do this

add name nat-dst in the firewall destination of my mobility controler, like this

add one new rules in a new policie and apply to my un auth role, like this :

add one new rules in my captive portal policie and apply to my un auth role, like this :

And after i reorder my policies :

My guest client have :

Gateway -> My Controler IP in the Guest VLAN

DNS -> 8.8.8.8

Maybe i forget something ?

Could you help me ?

Thansk a lot

Regards

Yann

Yann,

In your permit, you need to permit https traffic to the ip address of the ClearPass Server.  Do not use the fqdn...

Hi All,

Tried to setup and user is not able to login, it get stuck at the guestlogin.domain.local page. 

Later,  i have got recall that wlc will intercept valid DNS reply to our IP address.

Tried with valid domain name and it started working!!!

:-)

can you tell me the details of setting up  valid domain name for this solution to work?

can you explain your current setup ?

Was not clear if this was resolve.. I have a similar situution and would like to see if anyone had any updates on this.  If this has been resolve can you post an example of the configuration or a link that cover this in more detail.

Thanks

Hi,

This setup is working really fine. Thx for that.

However, I have some questions...

I added a dst-nat policy with a dst-nat rule as explained and inserted it after the logon-control and before the captive portal policy.

When I add a permit https to %clearpass-ip% to this policy I get a redirect loop.

I have the permit https rule to the captive portal policy and put this rule in the first line to make it work.

Why would this be?

I also never see this permit https rule being hit in ACL hits. But without it this solution definitely won't work. how could this be?

Thx

Peter

i tried this setup as per attached screenshots but unfortunately it didn't work i don't know if i miss anything here, the device could not resolve the name

clearpass ip 172.16.5.2
client gateway : controller IP , i tried also to make the client default gateway my router and it didn't work too
dns:8.8.8.8