Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Controller claims certificate CN for its own?

This thread has been viewed 1 times

  • 1.  Controller claims certificate CN for its own?

    MVP
    Posted Jun 07, 2017 08:59 AM

    So I've got a wildcard certificate formed as follows:

    CN: host.domain.tld

    SAN1: host.domain.tld

    SAN2: *.domain.tld

     

    host.domain.tld is NOT the controller, this is another actual server. The controller should respond to captiveportal-login.domain.tld.

     

    I was trying to use (the wildcard portion of) this certificate on the controller for captive-portal auhentication.

    Now, this works. Guests get this valid certificate presented so no more cert errors.

    What is problematich however is that wireless users on the secure (non-guest) ssid, trying to access the server at https://host.domain.tld get redirected to https://host.domain.tld:4343 by the controller. The ip address also changes from the actual host to the controllers guest interface.

     

    I understand that the controller graps traffic for that CN for itself for guest users, but why is it intercepting dns requests for users on other SSID's?! 

    Is this expected behaviour or what am I missing here?

     



  • 2.  RE: Controller claims certificate CN for its own?

    EMPLOYEE
    Posted Jun 07, 2017 09:04 AM
    What user role are those devices in?


  • 3.  RE: Controller claims certificate CN for its own?

    MVP
    Posted Jun 07, 2017 09:07 AM

    As simple and open as I can get it:

     

    (Aruba) #show rights user

    Valid = 'Yes'
    CleanedUp = 'No'
    Derived Role = 'user'
     Up BW:No Limit Down BW:No Limit
     L2TP Pool = default-l2tp-pool
     PPTP Pool = default-pptp-pool
     Number of users referencing it = 24
     Periodic reauthentication: Disabled
     DPI Classification: Enabled
     Youtube education: Disabled
     Web Content Classification: Enabled
     ACL Number = 78/0
     Max Sessions = 65535

     Check CP Profile for Accounting = TRUE

    Application Exception List
    --------------------------
    Name Type
    ---- ----

    Application BW-Contract List
    ----------------------------
    Name Type BW Contract Id Direction
    ---- ---- ----------- -- ---------

    access-list List
    ----------------
    Position Name Type Location
    -------- ---- ---- --------
    1 global-sacl session
    2 apprf-user-sacl session
    3 allowall session

    global-sacl
    -----------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
    apprf-user-sacl
    ---------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
    allowall
    --------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
    1 any any any permit Low 4
    2 any any any-v6 permit Low 6

    Expired Policies (due to time constraints) = 0

     



  • 4.  RE: Controller claims certificate CN for its own?

    MVP
    Posted Jun 07, 2017 09:17 AM

    As simple as I can get it: allowall.

     

    (Aruba) #show rights complete

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'complete'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 28
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 ACL Number = 75/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                 Type     Location
--------  ----                 ----     --------
1         global-sacl          session  
2         apprf-complete-sacl  session  
3         allowall             session  

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-complete-sacl
-------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
allowall
--------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any                   permit                           Low                                                           4        
2         any     any          any-v6                permit                           Low                                                           6        

Expired Policies (due to time constraints) = 0


  • 5.  RE: Controller claims certificate CN for its own?

    EMPLOYEE
    Posted Jun 07, 2017 09:25 AM
    What's the output of "show datapath fqdn"?


  • 6.  RE: Controller claims certificate CN for its own?

    MVP
    Posted Jun 07, 2017 09:28 AM

    host.domain.tld



  • 7.  RE: Controller claims certificate CN for its own?

    EMPLOYEE
    Posted Jun 07, 2017 09:33 AM
    That's why. You shouldn't​ use shared certificates from the rest of your environment with the controller. Use a dedicated certificate with an appropriate common name for your controllers.


  • 8.  RE: Controller claims certificate CN for its own?

    MVP
    Posted Jun 07, 2017 09:38 AM

    ok, that's the current behaviour.. understood.

    But can you explain why the controller would intercept DNS requests on an SSID where no role is configured to do so? Is there a good reason to do this?

    It might be easier to except this truth if I understand the why of it :)



  • 9.  RE: Controller claims certificate CN for its own?

    EMPLOYEE
    Posted Jun 07, 2017 09:42 AM
    Because the controller will take the CN and add it as the redirect address in the controller when you import it.