Security

last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

GRE Clearpass

This thread has been viewed 0 times

  • 1.  GRE Clearpass

    Posted Jan 14, 2015 03:44 AM

    Hi All,

     

    Setting up a GRE tunnel on a 7210 to talk to CPPM. Currently the client has Guest access running through VLAN 300 for their internal network on port GE0/0/0 ( with CCPM working ) and now they would like to send guest traffic to GE0/0/1 that has it's own internet connection to make it more secure. At this stage the controller is doing the DHCP and I have assigned the GE0/0/1 to VLAN 200.

     

    The SSID is handing out IP's and I can ping the gateway ( currently the firewall ) but the problem arises when it tries to use the GRE tunnel to open the CPPM Login page. I followed the setup as per https://afp.arubanetworks.com/afp/index.php/ClearPass_GRE_Tunnel

     

    If I set the Login page on the controller to the internal address of the GRE tunnel I get a "This webpage has a redirect loop" from chrome

     

    If I use firewall rules to redirect the traffic down the tunnel and point the Login page to the IP on VLAN 300 it doesn't resolve.

     

    The GRE tunnel says that it's up but i'm unsure how to test if traffic is traversing it or not, CPPM is receiving the MAC auth request but no other logs or requests

     

    Hope this makes sence

     

    Any input or feedback who be most helpful.

     

    Thanks

     

    Marcus


    #7210


  • 2.  RE: GRE Clearpass

    Posted Jan 14, 2015 09:34 AM
    Can you please share your ACLs you have assigned under the role you are using to redirect


  • 3.  RE: GRE Clearpass

    Posted Jan 14, 2015 03:47 PM

    Hi Victor,

    Thanks for your response. I have tried to different methods

    1. 192.168.10.55 being CPPM

    user host 192.168.10.55 svc-http redirect tunnel 2
    user host 192.168.10.55 svc-https redirect tunnel 2
    user host 192.168.10.55 svc-icmp redirect tunnel 2

    2.  any host 192.168.10.55 any redirect tunnel 2

    These where set as the first policy on the User Role. If you require the other policy's please let me know

    Thanks

    Marcus



  • 4.  RE: GRE Clearpass

    Posted Jan 14, 2015 05:55 PM

    You are missing these as well:

    user   alias controller svc-https  dst-nat 8081

    user any svc-http dst-nat 8080
    user any svc-https dst-nat 8081
    user any svc-http-proxy1 dst-nat 8088
    user any svc-http-proxy2 dst-nat 8088
    user any svc-http-proxy3 dst-nat 8088



  • 5.  RE: GRE Clearpass

    Posted Jan 14, 2015 07:48 PM

    Hi Victor,

     

    I have these in a different Policy, Please see my other policys below

     

    Policy - captiveportal

    IPv4 user controller svc-https dst-nat 8081     
    IPv4 user any svc-http dst-nat 8080    
    IPv4 user any svc-https dst-nat 8081      
    IPv4 user any svc-http-proxy1 dst-nat 8088      
    IPv4 user any svc-http-proxy2 dst-nat 8088      
    IPv4 user any svc-http-proxy3 dst-nat 8088

     

    Policy - Login Control

    IPv4 user any udp 68 deny   
    IPv4 any any svc-icmp permit      
    IPv4 any any svc-dns permit      
    IPv4 any any svc-dhcp permit     
    IPv4 any any svc-natt permit     
    IPv4 any 169.254.0.0 255.255.0.0 any deny
    IPv4 any 240.0.0.0 240.0.0.0 any deny

     

    Policy - CPG-Web-ACL

    IPv4 user host 192.168.10.55 svc-http permit
    IPv4 user host 192.168.10.55 svc-https permit

     

    Thanks

     

    Marcus