Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Problems with Instant and Clearpass CP redirect

This thread has been viewed 2 times

  • 1.  Problems with Instant and Clearpass CP redirect

    Posted Feb 14, 2017 03:56 AM

    Hi community,

     

    we have a strange problem with our Instant and Clearpass.

    We canged the https certificate of our CP to an public certificate, so our guest should not have this certificate issu.

    The certificate was issued for portal.domain.de so we insert the Host to our dns server.

    In the preauth role dns is allowed to all.

    We changed in the Instant VC the captive portal profile from the ip to the dns name portal.domain.de, but the redirct don´t work for your guests.

    the guests get 404 site not found with the ip 172.31.98.1 in the browsers address bar.

    Is this a problem with the IAP dns redirection?

    How can I change this?

     

    Thanks



  • 2.  RE: Problems with Instant and Clearpass CP redirect

    Posted Feb 14, 2017 04:52 AM

    Hello!

    In your pre-auth role you allow traffic towards that domain?

    Log on to the IAP console and verify that a a ping towards the domain-name results in a successfull lookup.

     

    Also - have you changed login settings to imply https on Clearpass? And the settings on the IAP? Not relevant to the redirect issue, but just curious ;)



  • 3.  RE: Problems with Instant and Clearpass CP redirect

    Posted Feb 14, 2017 04:57 AM

    Hi,

    I´ve found something in the instant user guide, this works for me in my test instant ap.

    I go to instant console:

    conf t

    internal-domains

    domain-name *

    end

    commit apply

     

    in my test IAP this works fine, in my productive iap cluster the problem is the same... 404 site not found. and the ip 172.31.98.1 in the browser bar...

     



  • 4.  RE: Problems with Instant and Clearpass CP redirect

    MVP EXPERT
    Posted Feb 14, 2017 05:04 AM

    Hey, if you have a client in the pre-auth role, are they able to resolve the DNS name to the IP address of the CPPM?



  • 5.  RE: Problems with Instant and Clearpass CP redirect

    Posted Feb 14, 2017 05:28 AM
    There is bound to be differences from your lab to production. Set the side-by-side and verify those differences in the configuration, and make sure that clients are able to resolve the DNS correctly. And just to be sure - you haven't installed the same certificate (which you installed on Clearpass) as a captive portal certificate on the IAP?


  • 6.  RE: Problems with Instant and Clearpass CP redirect

    Posted Feb 14, 2017 05:52 AM
    Yes I think I have installed the Same certificate on IAP CP as on Clearpass. Is there a problem?


  • 7.  RE: Problems with Instant and Clearpass CP redirect
    Best Answer

    Posted Feb 14, 2017 06:03 AM

    Is it a wildcard certificate or bound to a FQDN?

     

    If you have a certificate with FQDN installed on the IAP and selected that as Captive Portal profile, the IAP will consider that domain-name as it's own regardless if it's public resolvable or not.. Just like "instant.arubanetworks.com" and "securelogin.arubanetworks.com". So that is why you there are redirected to the VC default guest-vlan IP..

     

    If you can do server-initiated login that would eliminate the need for a captive portal SSL-certificate on the IAP. Requirement for this is Radius CoA from Clearpass to the Instant.



  • 8.  RE: Problems with Instant and Clearpass CP redirect

    Posted Feb 14, 2017 07:26 AM

    ok, I think this is the problem, I ve uploaded the fqdn certificate to the instant. Where can I download the original instant.arubanetworks.com certificate, to restore it on the instant?



  • 9.  RE: Problems with Instant and Clearpass CP redirect

    Posted Feb 14, 2017 08:48 AM
    Think it's through CLI