Security

Reply
Contributor II
Posts: 45
Registered: ‎05-06-2013

Guest Email sponsorship confirmation link

Hello,

 

We have a CPPM Pulisher/Subscriber cluster running with both the mgmt and data ports in use, the mgmt is used for mostly radius/management and the guests hit the data port for the login/self reg portal.

 

One thing that became an issue is that the email sponsor confirmation email inserts the name of the cppm/redirect url on the data interface (based on DNS) i.e cppm-portal.domain.com this resoves to the data port VIP on the Cluster.

 

Due to security policies the data ports subnet is not accessable to the internal users, so we editied the link sent in the email confirmation to the IP of the mgmt port of the cluster:

ie:

<p>
{if true}
A visitor has requested access naming you as the sponsor. Please <a href="https://172.16.254.50/guest/guest_register_confirm.php?{if $u.source}gsr_id={$u.source|rawurlencode}&{/if}token={$u.register_token|rawurlencode}" target="_blank">click here</a> to confirm or reject the request.
{else}

 

This is fine while the Publisher is active but it doesnt work if the publisher fails and the Subscriber is promoted as the ip address is the mgmt address of the Publisher.

 

We tried using the default html code which in the preview suggests that the url points to the hostname of the relevant cppm (as listed in the server manager) but actually inserts the redirect url (cppm-portal.domain.com) in the sponsor confirmation email which the internal users cannot get to.

 

Hopefully the above makes sense to someone and they can advise how to send the actual server name in the sponsorship confirmation email.

Frequent Contributor I
Posts: 97
Registered: ‎04-13-2009

Re: Guest Email sponsorship confirmation link

Hi, 

I had similar issue dunring PoC few weeks ago. I just played with DNS zones to solve it. ClearPass address cppm.acme.local was accesible in different way for users from untrusted networks - they got data IP address and opposite and the cppm.acme.local was resolved to management IP address for internal users that were sponsors.

HTH 

Marek Krauze, CWNE# 174, ACMX #295, ACDX #356
Something cool, helpful or interesting in my post - click the Kudos Star.
Helped to solve your problem - Click Accept as Solution
Moderator
Posts: 496
Registered: ‎11-09-2012

Re: Guest Email sponsorship confirmation link

Why not have a VIP on the mgmt interfaces also and have that resolved from DNS by an A record. If the PUB goes down then the SUB will 'own' the VIP IP@.

Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Contributor II
Posts: 45
Registered: ‎05-06-2013

Re: Guest Email sponsorship confirmation link

the cppm's are in differant geographic locations but there is a l2 gre tunnel (setup between the controllers) joining the "data" port/guest users subnets in either location.

 

we cant setup a gre between the mgmt subnets.

Moderator
Posts: 496
Registered: ‎11-09-2012

Re: Guest Email sponsorship confirmation link

You'll have to use the gre-vpls l2 extension of you want to use a VIP. Curios what you did then for the mgmt VIP?

Beyond this if you don't want to replicate the setup on the mgmt you have for the data you're might be best to look into an SLB with maybe GSLB functionality to complement the basic slb+health check.

Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: