Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass blank screen when switching context

Jump to Best Answer
  • 1.  Clearpass blank screen when switching context

    Posted 25 days ago
    Hey,

    Ever since our CPPM server was set up, we've had this strange issue when we try to switch from Policy Manager to Guest, or Guest to Policy Manager.  

    When in PM and switching to guest, I get a screen like below (this is the sub, but it's the same on pub, and was the same on pub before the sub was added).

    Guest Manager blank

    When starting in Guest and switching to Policy Manager, I just get a login.

    This happens regardless of the account used - admin, or an ldap superadmin. 
    If I click logout on the Guest screen, then log in, I can switch back and forth without issue while that session is active. 

    One support case to fix the problem resulted in the admin account being added to a local user policy (it didn't seem right).  That didn't fix it either.  

    Anyone have any ideas?  I was told one time that it used to be a bug but has been fixed.  Well, I'm on 6.9.3.130657, so I must have something else wrong.  
    Thanks,
    PH


    ------------------------------
    Phillip Horn
    ------------------------------


  • 2.  RE: Clearpass blank screen when switching context
    Best Answer

    Posted 24 days ago
    I have seen only occasionally single-sign-on issues between Policy Manager and Guest, just after an upgrade, which most times went away after clearing the cache of my browser and restarting the browser or use another browser. This message that you see seems related to the fact that your ClearPass publisher 'thinks' it is a subscriber for Guest operations.

    May I assume that if you check the cluster from your publisher all looks good? Publisher is ok, all subscribers are ok and in sync?

    Aruba support is probably the only team that can fix this for you as I assume that this is somewhere low-level in the configuration database. If you still have the case open, have it escalated. If it is closed, ask to have it re-opened.

    If you can afford down-time, what you might do is to see if you make one of your subscribers the publisher, see if that fixes the SSO. Then if you like move back to the original publisher. But working with TAC is the safer option.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
    ------------------------------



  • 3.  RE: Clearpass blank screen when switching context

    Posted 24 days ago
    Hey thanks,
    Yes, the status of the cluster is good from the dashboard. (Not sure if there's somewhere else to check)
    I'll check with support on that ticket (closed) and see about getting some escalation.

    On other thing that may or may not matter for this issue (and may itself be another configuration error), there is a management port and a data port.  
    The integrator that set it up told us that in order to secure the guest wifi, we should use a different vlan for the data port, put the guests there, and then everything else should go to the management port.  See below:
    We ended up with 192.168.x.x/22 from the Palo Alto Fw DMZ set up as the data port, and the guest wifi all works off that network.  Everything else works within the 10.x network to provide connectivity.  Should I fix this?  I hadn't had any training when it was configured, so I didn't really know about the role based firewall built in.  After attending training (ATM18), I learned that many of the things done were not best practice.  Anyway - that probably has nothing to do with the above issue, and I'll check in with support, but I wanted thoughts on this config.
    Thanks.

    ------------------------------
    Phillip Horn
    ------------------------------



  • 4.  RE: Clearpass blank screen when switching context

    Posted 22 days ago
    Philip,

    I share the idea that having separate interfaces for management and data is not best-practice for ClearPass, where my main concern is that you make the deployment overly complex and it adds very few security. One point of attention is that you mention that 'everything else works within the management port network', however by default all outgoing traffic is routed from the data port. If it has been deployed like this, from a distance it's hard to tell if it is worth moving back to a single interface deployment. Dual-interface deployment is fully supported. I would probably postpone such a change till you have other things to change where the dual interface may interfere with what you are doing, or IP changes where you need to change surrounding routers/firewalls anyway.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
    ------------------------------



  • 5.  RE: Clearpass blank screen when switching context

    Posted 22 days ago

    Herman,
    Our deployment was set this way from the beginning, but it has been a limited deployment until next month, when we take it live for everyone.  This dual-interface is getting strange, since we now have a pub and sub, and the sub doesn't even have an address on data port. 
    We just got approval to replace the old network (31 switches,~20 buildings, ~400ap's) and I'm now trying to configure SSO onboard with Azure AD, wired policy enforcement, and student/guest self registration for devices. 
    Knowing what I know now (which isn't much), I would definitely have made different config choices. 

    How would you recommend (order of operations) to go through configuring if you were going to deploy (or re-deploy) a basically new network with CPPM using Mobility Gateway, 7210 (x2) controllers, 505h (dorms)/515-555(public buildings/classrooms), 6200/6300, and 8325's for core and data center top of rack.

    We have the concept, but as you can see, some of the details are a bit quirky.  We plan to use onboard for employees devices (local AD, but want to migrate to Azure AD instead if possible - we have intune, defender ATP).  We're using domain authentication for students, but we have yet to solve the IOT (MPSK looks ideal for the rokus and such).

    We have Airwave, but it's all monitor only, and we have NetEdit, but only a pair of CX switches that just came in, so we have most of the ingredients - it's just the recipe is all jumbled.

    I see a guide for Clearpass Onboard Cloud Identity Provider setup: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=32043

    And a guide for Defender ATP setup:

    https://support.hpe.com/hpesc/public/docDisplay?docId=a00100312en_us

    And a guide for Palo Alto Firewall integration:

    https://support.hpe.com/hpesc/public/docDisplay?docId=a00101503en_us


    I'd like to use user based tunnel and/or port based tunnel with DUR to simplify the switch configs, but that doesn't seem finished in the CX switches.

    If there were a validated reference guide, I'd try that, but that link is busted..


    I guess I am looking for the ultimate guide for those new to the ArubaHPE platform.  There are almost too many places to get info - I've watched several of your guides on Youtube (very well done, btw) as well as others, but it's hard to see what's the recommended best practice and since there's so much configurability, well...  what now?  :)



    ------------------------------
    Phillip Horn
    ------------------------------



  • 6.  RE: Clearpass blank screen when switching context

    Posted 23 days ago
    It turned out to be an Operator Login - Profile that the company doing the initial integration renamed when they set up the system.  
    When loading the profile after switching, it loaded admin (null) because it was looking for Super Administrator, but that had been renamed. 
    The Super Admin account was restored, and just like that, it works.

    ------------------------------
    Phillip Horn
    ------------------------------