Security

Reply
New Contributor
Posts: 3
Registered: ‎08-24-2014

GRE Clearpass

Hi All,

 

Setting up a GRE tunnel on a 7210 to talk to CPPM. Currently the client has Guest access running through VLAN 300 for their internal network on port GE0/0/0 ( with CCPM working ) and now they would like to send guest traffic to GE0/0/1 that has it's own internet connection to make it more secure. At this stage the controller is doing the DHCP and I have assigned the GE0/0/1 to VLAN 200.

 

The SSID is handing out IP's and I can ping the gateway ( currently the firewall ) but the problem arises when it tries to use the GRE tunnel to open the CPPM Login page. I followed the setup as per https://afp.arubanetworks.com/afp/index.php/ClearPass_GRE_Tunnel

 

If I set the Login page on the controller to the internal address of the GRE tunnel I get a "This webpage has a redirect loop" from chrome

 

If I use firewall rules to redirect the traffic down the tunnel and point the Login page to the IP on VLAN 300 it doesn't resolve.

 

The GRE tunnel says that it's up but i'm unsure how to test if traffic is traversing it or not, CPPM is receiving the MAC auth request but no other logs or requests

 

Hope this makes sence

 

Any input or feedback who be most helpful.

 

Thanks

 

Marcus

MVP
Posts: 4,081
Registered: ‎07-20-2011

Re: GRE Clearpass

Can you please share your ACLs you have assigned under the role you are using to redirect
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
New Contributor
Posts: 3
Registered: ‎08-24-2014

Re: GRE Clearpass

Hi Victor,

Thanks for your response. I have tried to different methods

1. 192.168.10.55 being CPPM

user host 192.168.10.55 svc-http redirect tunnel 2
user host 192.168.10.55 svc-https redirect tunnel 2
user host 192.168.10.55 svc-icmp redirect tunnel 2

2.  any host 192.168.10.55 any redirect tunnel 2

These where set as the first policy on the User Role. If you require the other policy's please let me know

Thanks

Marcus

MVP
Posts: 4,081
Registered: ‎07-20-2011

Re: GRE Clearpass

You are missing these as well:

user   alias controller svc-https  dst-nat 8081

user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
New Contributor
Posts: 3
Registered: ‎08-24-2014

Re: GRE Clearpass

Hi Victor,

 

I have these in a different Policy, Please see my other policys below

 

Policy - captiveportal

IPv4 user controller svc-https dst-nat 8081     
IPv4 user any svc-http dst-nat 8080    
IPv4 user any svc-https dst-nat 8081      
IPv4 user any svc-http-proxy1 dst-nat 8088      
IPv4 user any svc-http-proxy2 dst-nat 8088      
IPv4 user any svc-http-proxy3 dst-nat 8088

 

Policy - Login Control

IPv4 user any udp 68 deny   
IPv4 any any svc-icmp permit      
IPv4 any any svc-dns permit      
IPv4 any any svc-dhcp permit     
IPv4 any any svc-natt permit     
IPv4 any 169.254.0.0 255.255.0.0 any deny
IPv4 any 240.0.0.0 240.0.0.0 any deny

 

Policy - CPG-Web-ACL

IPv4 user host 192.168.10.55 svc-http permit
IPv4 user host 192.168.10.55 svc-https permit

 

Thanks

 

Marcus

Search Airheads
Showing results for 
Search instead for 
Did you mean: