Security

Reply
Occasional Contributor II
Posts: 17
Registered: ‎01-11-2012

Open DNS resolving intranet on Internet-only guest network

Subject line is pretty clear, basically I'm able to hit our internal intranet homepage and sub-pages on the guest network I have configured. auth-guest role configured to block all private IP space. When the client does a DNS lookup on our internal home page (sharepoint), the query goes out to OpenDNS (208.67.220.220). the query response returned is 67.215.65.132. That IP I understand to be the standard response from OpenDNS when the host name cannot be resolved, so working as expected!

 

Packet capture shows the DNS query/response, however, it also shows all subsequent comm to our internal webpage as traffic to/from 67.215.65.132. To the controller, this looks like legitimate traffic to allow since I am not blocking that IP address, but I have no idea why traffic originating from my internal web page( on a 10.x.x.x network) would be returned to the client looking like it came from 67.215.x.x. So basically, on an Internet only wlan, I can browse our internal sharepoint farm over http all day.

 

Has anyone run into this issue when using a public DNS for their guest wireless networks?

 

Thanks in advance

Greg

Guru Elite
Posts: 20,968
Registered: ‎03-29-2007

Re: Open DNS resolving intranet on Internet-only guest network

What firewall policies do you have assigned to authenticated guests on that WLAN?  Is "auth-guest" the role that users get when they are fully authenticated, or when they just associate?  if it is for post authentication, what rules  (firewall policies) are applied in the "auth-guest" role?

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 17
Registered: ‎01-11-2012

Re: Open DNS resolving intranet on Internet-only guest network

Associated guests (pre-auth) receive guest-logon role. Nothing is returned except the captive portal. Firewall rules as follows:

 

clearpass-portal (http(s) src-nats to portal page)

captiveportal (default settings)

guest-logon-access (allow dhcp, allow DNS to OpenDNS)

deny-internal (deny all private IP space)

 

 

Once authenticated to clearpass, users receieve auth-guest role. firewall rules as follows

 

cplogout (dst-nat to 8081 for controller)

guest-logon-access

allow-websense (for http block page, guest users are filtered through content gateway)

deny-internal (deny all private IP space)

auth-guest-access (permit http(s) to any)

drop-and-log (default)

 

-GR

Guru Elite
Posts: 20,968
Registered: ‎03-29-2007

Re: Open DNS resolving intranet on Internet-only guest network

If you can get on the commandline, please type "show rights auth-guest" so it can show the firewall policies and the order.  Paste in the output if you can.  I am wondering what the guest-logon-access piece of the role does.

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 17
Registered: ‎01-11-2012

Re: Open DNS resolving intranet on Internet-only guest network

Sure no prob

 

(Aruba3200-US) #show rights jhhc-auth-guest Derived Role = 'jhhc-auth-guest' Up BW:No Limit Down BW:No Limit L2TP Pool = default-l2tp-pool PPTP Pool = default-pptp-pool Periodic reauthentication: Disabled ACL Number = 59/0 Max Sessions = 128 access-list List ---------------- Position Name Location -------- ---- -------- 1 cplogout 2 guest-logon-access 3 allow-websense 4 deny-internal 5 auth-guest-access 6 drop-and-log cplogout -------- Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ 1 user controller svc-https dst-nat 8081 Low 4 guest-logon-access ------------------ Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ 1 user any udp 68 deny Low 4 2 any any svc-dhcp permit Low 4 3 any OpenDNS svc-dns src-nat Low 4 allow-websense -------------- Priority Source Destination Service Action TimeRange Log Expired Qu eue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 -------- ------ ----------- ------- ------ --------- --- ------- -- --- --- ----- --------- ------ ------- ------------- ------ 1 user websense-block tcp 15871 permit Lo w 4 deny-internal ------------- Priority Source Destination Service Action TimeRange Log Exp ired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 -------- ------ ----------- ------- ------ --------- --- --- ---- ----- --- ----- --------- ------ ------- ------------- ------ 1 any 10.0.0.0 255.0.0.0 any deny Yes Low 4 2 any 192.168.0.0 255.255.0.0 any deny Yes Low 4 3 any 172.16.0.0 255.255.240.0 any deny Yes Low 4 auth-guest-access ----------------- Priority Source Destination Service Action TimeRange Log Expired Qu eue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 -------- ------ ----------- ------- ------ --------- --- ------- -- --- --- ----- --------- ------ ------- ------------- ------ 1 user any svc-http permit Guest Access Lo w 4 2 user any svc-https permit Guest Access Lo w 4 drop-and-log ------------ Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ 1 user any any deny Yes Low 4 Expired Policies (due to time constraints) = 0

 

 

ugh that's ugly. I attached a txt file as well for easier reading. Thank you again.

 

-GR

Guru Elite
Posts: 20,968
Registered: ‎03-29-2007

Re: Open DNS resolving intranet on Internet-only guest network

Is there a reason why you are source-natting DNS traffic?

 

That might not be your issue, but that is the only thing that stands out.

 

What is the default gateway for this guest network?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 17
Registered: ‎01-11-2012

Re: Open DNS resolving intranet on Internet-only guest network

The original idea was to src-nat all traffic coming out of the guest network to keep it isolated. We wound up defining the guest network on the core switch so permitting this traffic instead would work. I'll give it a shot.

 

The default gateway for the guest network is the core. We also were going back and forth on this, the advantages of using the controller as the gateway over the core. It was suggested we use the core for routing rather than the controller. All traffic I believe is tunneled back to the controller from the AP for inspetion before it is forwarded on to the gateway defined on the core is it not?

 

I will get back to you on the src-nat change to permit.

 

-GR

Occasional Contributor II
Posts: 17
Registered: ‎01-11-2012

Re: Open DNS resolving intranet on Internet-only guest network

I take that back, I willnot be able to test the src-nat vs. the permit until another issue I am having is resolved. Every day, sometime in the afternoon, I wind up hitting some kind of configured session limit (on controller) from my laptop on the guest network only, where I can no longer browse to the captive portal while connected to the guest SSID. Working with TAC on that one, but I'll be able to test tomorrow morning, that tends to be the time everything wakes up and starts working again!

 

-GR

Occasional Contributor II
Posts: 17
Registered: ‎01-11-2012

Re: Open DNS resolving intranet on Internet-only guest network

Tested permitting DNS traffic to OpenDNS rather than src-nat, no change in result. Still able to resolve our internal sharepoint intranet page.

 

I changed the OpenDNS alias to include the IP 67.215.65.132 and kept the change to permit the traffic instead of src-nat. Also logged all comm with that alias destination set. Here is what I saw.

 

A pcap again shows the dns query for my company's internal home page with 67.215.65.132 returned as the response. all port 80 traffic destined to that IP from then on logs as the following in the controller and returns the home page content.

 

Jul 10 07:42:42authmgr[1528]: <124006> <WARN> |authmgr| {171} TCP srcip=10.83.0.254 srcport=49523 dstip=67.215.65.132 dstport=80, action=permit, role=jhhc-auth-guest, policy=guest-logon-access

 

What is interesting, since I am permitting all traffic to the OpenDNS alias which includes the 67.x.x.x address, I am logging permits to all ports destined for that address. So I tried connecting one of my network shares but since openDNS cannot resolve my internal file server host name, the same 67.x.x.x IP address is returned. It looks like this in the controller, notice port 445 for SMB over TCP.

 

Jul 10 07:46:23authmgr[1528]: <124006> <WARN> |authmgr| {397} TCP srcip=10.83.0.254 srcport=49548 dstip=67.215.65.132 dstport=445, action=permit, role=jhhc-auth-guest, policy=guest-logon-access

 

The difference here is, I am not able to map the drive. A similar test using RDP to an internal server, port 3389 is permitted in the controller logs, but unable to resolve the host.

 

Jul 10 07:57:11authmgr[1528]: <124006> <WARN> |authmgr| {846} TCP srcip=10.83.0.254 srcport=49563 dstip=67.215.65.132 dstport=3389, action=permit, role=jhhc-auth-guest, policy=guest-logon-access

 

 

 

So in every case I am unable to resolve the private IP space, but it only seems to impact port 80 traffic. So, long story short, I tested blocking the 67.x.x.x IP address, which effectively blocked the guest network from our internal home page, however I think this is a band aid for something else at work here. Not to mention it creates an unnecessary amount of traffic generated from my client machine trying to figure out how to get to the 67.x.x.x address it's being told to resolve by OpenDNS.

 

Any other ideas?

 

-GR

Guru Elite
Posts: 20,968
Registered: ‎03-29-2007

Re: Open DNS resolving intranet on Internet-only guest network

How are you resolving intranet?  Are you just typing it into a browser or are you specifically using nslookup to the Open DNS server?  Using nslookup will rule out other, hidden resolution methods not related to DNS.  Is it possible that the device you are testing it with has a different way of resolving?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: