Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Guest Email sponsorship confirmation link

This thread has been viewed 8 times

  • 1.  Guest Email sponsorship confirmation link

    Posted Mar 08, 2014 02:54 AM

    Hello,

     

    We have a CPPM Pulisher/Subscriber cluster running with both the mgmt and data ports in use, the mgmt is used for mostly radius/management and the guests hit the data port for the login/self reg portal.

     

    One thing that became an issue is that the email sponsor confirmation email inserts the name of the cppm/redirect url on the data interface (based on DNS) i.e cppm-portal.domain.com this resoves to the data port VIP on the Cluster.

     

    Due to security policies the data ports subnet is not accessable to the internal users, so we editied the link sent in the email confirmation to the IP of the mgmt port of the cluster:

    ie:

    <p>
    {if true}
    A visitor has requested access naming you as the sponsor. Please <a href="https://172.16.254.50/guest/guest_register_confirm.php?{if $u.source}gsr_id={$u.source|rawurlencode}&{/if}token={$u.register_token|rawurlencode}" target="_blank">click here</a> to confirm or reject the request.
    {else}

     

    This is fine while the Publisher is active but it doesnt work if the publisher fails and the Subscriber is promoted as the ip address is the mgmt address of the Publisher.

     

    We tried using the default html code which in the preview suggests that the url points to the hostname of the relevant cppm (as listed in the server manager) but actually inserts the redirect url (cppm-portal.domain.com) in the sponsor confirmation email which the internal users cannot get to.

     

    Hopefully the above makes sense to someone and they can advise how to send the actual server name in the sponsorship confirmation email.



  • 2.  RE: Guest Email sponsorship confirmation link

    Posted Mar 08, 2014 07:25 AM

    Hi, 

    I had similar issue dunring PoC few weeks ago. I just played with DNS zones to solve it. ClearPass address cppm.acme.local was accesible in different way for users from untrusted networks - they got data IP address and opposite and the cppm.acme.local was resolved to management IP address for internal users that were sponsors.

    HTH 



  • 3.  RE: Guest Email sponsorship confirmation link

    Posted Mar 08, 2014 09:22 AM
    Why not have a VIP on the mgmt interfaces also and have that resolved from DNS by an A record. If the PUB goes down then the SUB will 'own' the VIP IP@.


  • 4.  RE: Guest Email sponsorship confirmation link

    Posted Mar 08, 2014 09:38 AM

    the cppm's are in differant geographic locations but there is a l2 gre tunnel (setup between the controllers) joining the "data" port/guest users subnets in either location.

     

    we cant setup a gre between the mgmt subnets.



  • 5.  RE: Guest Email sponsorship confirmation link

    Posted Mar 08, 2014 09:08 PM
    You'll have to use the gre-vpls l2 extension of you want to use a VIP. Curios what you did then for the mgmt VIP?

    Beyond this if you don't want to replicate the setup on the mgmt you have for the data you're might be best to look into an SLB with maybe GSLB functionality to complement the basic slb+health check.