Security

Reply
New Contributor
Posts: 4
Registered: ‎09-09-2013

Clearpass guest without inside DNS

I've been searching around the forums and there is a lot of good information but I haven't found a solution for this.

 

I'm not sure of the proper way to setup my guest wireless access. It seems that I either have to choose to allow them access to the internal dns or allow access to clearpass from a public IP address. This is what is happening.

 

The controller and clearpass both sit on the inside network and the clearpass server has a hostname of arubaclearpass.domain.com. I have a guest VLAN setup that only gives access to the internet and uses google's dns servers of 8.8.8.8 and 8.8.4.4. I have the controller using clearpass captiveportal  located at arubaclearpass.domain.com.

 

What happens is that when a guest user connects the controller tries to send it to arubaclearpass.domain.com and that is not found by the public DNS. I can add that domain name to the public DNS  but then doesn't that open up my clearpass server to anybody on the internet? If I have the controller route to the IP address of the clearpass server it works fine but they get a certificate error message as it's not going to the FQDN.

 

Alternativly I can give my guest users access to my internal DNS server and they can get to clearpass but I really don't want to allow any access to internal DNS.

 

Is there anyway to have guest access without either allowing internal DNS or public access to the clearpass server?

 

Thank you!

Guru Elite
Posts: 8,464
Registered: ‎09-08-2010

Re: Clearpass guest without inside DNS

Just adding a public DNS entry for a server doesn't necessarily give everyone access to it.

 

Are you doing any NAT or does ClearPass have a public IP? Is there a firewall involved?

 

For example, you can have a DNS entry of clearpass.arubanetworks.com that points to a private address of 10.100.20.1. You can resolve that address from outside, but that address is not routable on the public internet and thus can't be accessed from outside your border router.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 4
Registered: ‎09-09-2013

Re: Clearpass guest without inside DNS

I'm trying to do NAT so that the public IP will be directed to the clearpass internal server but I could give clearpass a public IP if that would make it easier/better. There is a Cisco 6500 firewall involved that I do not know alot about yet. I'm pretty new to all of this so I apologize but if my public DNS i pointing to IP address of say 204.0.0.0 how do I get it to the internal server of 172.16.0.2. Do I need to have the public DNS record pointing to 172.16.0.2 or do I use NAT or internal DNS records to accomplish this.

 

Thank yo so much for responding, I really appreciate your assistance with this.

Guru Elite
Posts: 8,464
Registered: ‎09-08-2010

Re: Clearpass guest without inside DNS

[ Edited ]

The simplest and quickest fix (but not necessarily networking best practice) would be to create a DNS entry for arubaclearpass.domain.com for the internal (private) IP.

 

Are you using an SSL cert for your captive portal? If not, you can disable SSL for the captive portal and then simply use the IP address in the CP URL and avoid a DNS entry all together. Many times, SSL isn't necessarily needed if you aren't capturing sensitive information and are issuing short-term, temporary password.

 

Also, keep in mind that ClearPass needs some way to talk to the outside world for fingerprint, posture and software updates. You can do this with either a proxy or NAT translation.

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 4
Registered: ‎09-09-2013

Re: Clearpass guest without inside DNS

[ Edited ]

We are using SSL cert that points to arubaclearpass.domain.com so I would like to use the hostname if possible. Do ISPs add local domain names to their DNS that resolve to private addresses? When I asked to have arubaclearpass.domain.com point directly to the 172.16.0.2 address I was told that it was not valid and that it could only point to a public IP address. This was from a co-worker though and not the ISP company.

 

I can add arubaclearpass.domain.com to my local DNS servers but then that gets be back to the issue of  wanting to only use public DNS for guests.

 

Sorry again, I'm trying to understand this all. Thank you so much!

Guru Elite
Posts: 8,464
Registered: ‎09-08-2010

Re: Clearpass guest without inside DNS

It is not best practice to have private addresses in public DNS. If you are using another company to host your public domain name, they have every right to say no.

 

I'm going to let some other people chime in. Hopefully someone has a similar setup!

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Clearpass guest without inside DNS

[ Edited ]

We recently came up with the idea of assigning a public IP address to the DNS record and then setting a NAT policy that translates the external IP to the internal IP for guests.  The firewall would allow the traffic from the guest zone to the inside where CP resides, but access to CP from the outside to CP would not be allowed.

 

A different way to handle this is if your DNS servers are capable of DNS views.  Essentially, you setup your DNS servers to respond with different IPs depending on if the DNS request comes from the inside or outside.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Clearpass guest without inside DNS

Have you tried to dst-nat the request?   When using a name entry within a netdestination you can dst-nat requests to a name on to another IP .   For example:

 

First create an alias for your Clearpass hostname and add a "name" entry:

 

netdestination arubaclearpass.domain.com

name arubaclearpass.domain.com

 

Then within the policy setup a dst-nat rule for https requests to arubaclearpass.domain.com

 

user alias arubaclearpass.domain.com svc-https dst-nat x.x.x.x 443 (where x.x.x.x is the internal IP)

 

You'll also have to add an entry to allow https to the internal IP of Clearpass if you have not already (to avoid a redirect loop of the captive portal redirect).

 

user host x.x.x.x svc-https permit   (or use an alias)

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

New Contributor
Posts: 4
Registered: ‎09-09-2013

Re: Clearpass guest without inside DNS

Thank you for the suggestions! That is exactly the kind of ideas I was looking for but wasn't sure how to implement. 

 

I'm going to give these a try tomorrow.

 

I sincerely appreciate everyone's input and help with this! 

Aruba Employee
Posts: 1
Registered: ‎11-12-2015

Re: Clearpass guest without inside DNS

Hi Clembo,

 

I tried to do it but this doesn't work, my guest client can't browse the guest page because he haven't the answer for the FQDN of my clearpass.

 

I do this

add name nat-dst in the firewall destination of my mobility controler, like this

01.JPG

 

add one new rules in a new policie and apply to my un auth role, like this :

02.JPG

add one new rules in my captive portal policie and apply to my un auth role, like this :

03.JPG

And after i reorder my policies :

04.JPG

 

My guest client have :

Gateway -> My Controler IP in the Guest VLAN

DNS -> 8.8.8.8

 

Maybe i forget something ?

Could you help me ?

 

Thansk a lot

 

Regards

 

Yann

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: