Security

Hello all,

 

I am working with TAC on  a case where, during onboarding using CPPM Onboard, my devices are getting errantly redirected to securelogin.arubanetworks.com, which they can't find.  After doing extensive testing, I sent the e-mail below back to TAC.  (Some parts of the e-mail have been ommitted, since they aren't relevant.)  This has only happened since updating to CPPM 6.6.0, and it only happens if I make a change to my Provisioning Settings under 6.6.0.

 

I'm wondering if anyone else has encountered this, or would be willing to try to encounter it if you have a test environment (or a production environment that you can quickly revert back).  If you do want to try, if you're running CPPM in a VM environment, take a snapshot FIRST, so you can revert back if your Onboard breaks.

 

Please feel free to read through the whole thing, but if you're on CPPM 6.6.0, your "test" will begin at #8 below, but please see the note in #6.  Thanks!

 

Here's the message I sent:

 

==================================

 

There appears to be a bug in CPPM 6.6.0.  In Onboard, under Deployment and Provisioning --> Provisioning Settings, if you make any changes to the provisioning settings that you're using, you will then get have the problem with securelogin.arubanetworks.com.

 

I will give a detailed description of what I did.  For reference, my CPPM server URL is http://cppm.powayusd.com.  Also, our CPPM server runs in a VMware environment, so I can take snapshots.

 

1) I learned that when you do a major CPPM upgrade (in our case, from 6.5.5 to 6.6.0), the CPPM server retains your previous version on a separate boot partition.  I reconfigured my CPPM server to boot from the other partition, so it would boot into 6.5.5 instead of 6.6.0.

 

2) Onboarding worked perfectly when I tested it under 6.5.5. 

 

3) I took a snapshot of the CPPM server, then went to Software Updates.  There was an update to 6.5.6, so I did that, rather than going to 6.6.0.

 

4) Onboarding still worked perfectly under 6.5.6.

 

5) There were some changes I had made in May since the CPPM 6.6.0 update (case # 1867819, having to do with expiration of the SECP enrollment certificate), which I had to make again after reverting back to 6.5.5 and updating to 6.5.6.  I removed the previous VMware snapshot, then took a new snapshot before making the changes from case # 1867819.

 

6) After making the changes from case # 1867819, onboarding still worked perfectly.  These changes involved modifying the Provisioning Settings in Onboard, and everything still worked, which means the bug does NOT exist in 6.5.6.

 

7) I removed the VMware snapshot and took a new one, then updated CPPM to 6.6.0.  After the 6.6.0 update, onboarding still worked perfectly.

 

Note:  When I say that onboarding works perfectly, I should describe what I see:  I go to http://cppm.powayusd.com/onboard.php (my web login page is called "onboard").  Step 1, install certificate.  Step 2, log in.  That takes me to the next screen, where I install my certificate, and then install my profile.  This is on a Mac Mini running OS X "El Capitan" 10.11.3, by the way.  During the entire process, the URL I see in my browser always begins with "cppm.powayusd.com."

 

8) After updating to 6.6.0, I again removed the snapshot and took a new one.  I then went to edit the Provisioning Settings I'm using.  I did NOT make any changes, but I still clicked "Save Changes" at the bottom, and it built new configuration files.

 

9) After #8, when I tried to onboard my Mac, I saw: Step 1, install certificate.  Step 2, log in.  As soon as I clicked "Log in," my browser redirected me to securelogin.arubanetworks.com instead of keeping me at cppm.powayusd.com, and since the machine can't find securelogin.arubanetworks.com, onboard is now broken.

 

10) I reverted back to the snapshot I took in #8, and then Onboard works again.

 

I believe this means there is a problem with editing Provisioning Settings in CPPM 6.6.0 Onboard.  I looked all through the Provisioning Settings and could find no reference whatsoever to securelogin.arubanetworks.com, so I have no idea where that is coming from.  I have never seen securelogin.arubanetworks.com during Onboard; I have only seen it when using a captive portal on our Guest wireless network.

 

Did you happen to check the release notes on 6.6.0. There might be some changes made to the templates and if you just click save it might overwrite your settings.

---

@tarnold wrote:
Did you happen to check the release notes on 6.6.0. There might be some changes made to the templates and if you just click save it might overwrite your settings.

---

I'll be honest -- no, I didn't.  However, I have since looked at the release notes for 6.6.0, and there's no mention of any template changes for Onboard, nor any reference to securelogin.arubanetworks.com in the release notes.

Without digging into your CPPM. My best guess there was a change and when you hit save it is overwriting your original settings. I will have to dig through the cases and confirm with engineering.

 

In the old weblogin there used to be a setting for the onboarding to set the redirect. Seems like there is a setting in your that is being pulled. I did a test in my lab just two days ago for another customer with a different concern with no issues. I tested on 6.4 to 6.6 and 6.5.6 to 6.6.

 

Thanks, Troy!  I'll see what TAC can tell me as well, since I still have the case open with them.  It's interesting... I don't have that page anywhere that you just showed...

Problem solved, I believe!  TAC had me create a new Network Settings profile in Onboard, as well as a new Configuration Profile and new Provisioning Settings.  After doing all that, with the same settings that my existing profiles had, everything is working.  Now, I'm trying to figure out a certificate problem that has been bugging me, but that'll be in a separate post.

 

Thanks to everyone for your help!