11-13-2013 05:38 PM
I've been searching around the forums and there is a lot of good information but I haven't found a solution for this.
I'm not sure of the proper way to setup my guest wireless access. It seems that I either have to choose to allow them access to the internal dns or allow access to clearpass from a public IP address. This is what is happening.
The controller and clearpass both sit on the inside network and the clearpass server has a hostname of arubaclearpass.domain.com. I have a guest VLAN setup that only gives access to the internet and uses google's dns servers of 220.127.116.11 and 18.104.22.168. I have the controller using clearpass captiveportal located at arubaclearpass.domain.com.
What happens is that when a guest user connects the controller tries to send it to arubaclearpass.domain.com and that is not found by the public DNS. I can add that domain name to the public DNS but then doesn't that open up my clearpass server to anybody on the internet? If I have the controller route to the IP address of the clearpass server it works fine but they get a certificate error message as it's not going to the FQDN.
Alternativly I can give my guest users access to my internal DNS server and they can get to clearpass but I really don't want to allow any access to internal DNS.
Is there anyway to have guest access without either allowing internal DNS or public access to the clearpass server?
Solved! Go to Solution.
11-13-2013 05:41 PM
Just adding a public DNS entry for a server doesn't necessarily give everyone access to it.
Are you doing any NAT or does ClearPass have a public IP? Is there a firewall involved?
For example, you can have a DNS entry of clearpass.arubanetworks.com that points to a private address of 10.100.20.1. You can resolve that address from outside, but that address is not routable on the public internet and thus can't be accessed from outside your border router.
11-13-2013 05:48 PM
I'm trying to do NAT so that the public IP will be directed to the clearpass internal server but I could give clearpass a public IP if that would make it easier/better. There is a Cisco 6500 firewall involved that I do not know alot about yet. I'm pretty new to all of this so I apologize but if my public DNS i pointing to IP address of say 22.214.171.124 how do I get it to the internal server of 172.16.0.2. Do I need to have the public DNS record pointing to 172.16.0.2 or do I use NAT or internal DNS records to accomplish this.
Thank yo so much for responding, I really appreciate your assistance with this.
11-13-2013 05:56 PM - edited 11-13-2013 05:57 PM
The simplest and quickest fix (but not necessarily networking best practice) would be to create a DNS entry for arubaclearpass.domain.com for the internal (private) IP.
Are you using an SSL cert for your captive portal? If not, you can disable SSL for the captive portal and then simply use the IP address in the CP URL and avoid a DNS entry all together. Many times, SSL isn't necessarily needed if you aren't capturing sensitive information and are issuing short-term, temporary password.
Also, keep in mind that ClearPass needs some way to talk to the outside world for fingerprint, posture and software updates. You can do this with either a proxy or NAT translation.
11-13-2013 06:01 PM - edited 11-13-2013 06:03 PM
We are using SSL cert that points to arubaclearpass.domain.com so I would like to use the hostname if possible. Do ISPs add local domain names to their DNS that resolve to private addresses? When I asked to have arubaclearpass.domain.com point directly to the 172.16.0.2 address I was told that it was not valid and that it could only point to a public IP address. This was from a co-worker though and not the ISP company.
I can add arubaclearpass.domain.com to my local DNS servers but then that gets be back to the issue of wanting to only use public DNS for guests.
Sorry again, I'm trying to understand this all. Thank you so much!
11-13-2013 06:18 PM
It is not best practice to have private addresses in public DNS. If you are using another company to host your public domain name, they have every right to say no.
I'm going to let some other people chime in. Hopefully someone has a similar setup!
11-13-2013 07:00 PM - edited 11-14-2013 07:59 AM
We recently came up with the idea of assigning a public IP address to the DNS record and then setting a NAT policy that translates the external IP to the internal IP for guests. The firewall would allow the traffic from the guest zone to the inside where CP resides, but access to CP from the outside to CP would not be allowed.
A different way to handle this is if your DNS servers are capable of DNS views. Essentially, you setup your DNS servers to respond with different IPs depending on if the DNS request comes from the inside or outside.
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
11-13-2013 07:11 PM
Have you tried to dst-nat the request? When using a name entry within a netdestination you can dst-nat requests to a name on to another IP . For example:
First create an alias for your Clearpass hostname and add a "name" entry:
Then within the policy setup a dst-nat rule for https requests to arubaclearpass.domain.com
user alias arubaclearpass.domain.com svc-https dst-nat x.x.x.x 443 (where x.x.x.x is the internal IP)
You'll also have to add an entry to allow https to the internal IP of Clearpass if you have not already (to avoid a redirect loop of the captive portal redirect).
user host x.x.x.x svc-https permit (or use an alias)
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
11-13-2013 07:45 PM
Thank you for the suggestions! That is exactly the kind of ideas I was looking for but wasn't sure how to implement.
I'm going to give these a try tomorrow.
I sincerely appreciate everyone's input and help with this!
06-01-2016 07:44 AM
I tried to do it but this doesn't work, my guest client can't browse the guest page because he haven't the answer for the FQDN of my clearpass.
I do this
add name nat-dst in the firewall destination of my mobility controler, like this
add one new rules in a new policie and apply to my un auth role, like this :
add one new rules in my captive portal policie and apply to my un auth role, like this :
And after i reorder my policies :
My guest client have :
Gateway -> My Controler IP in the Guest VLAN
DNS -> 126.96.36.199
Maybe i forget something ?
Could you help me ?
Thansk a lot