Wireless Access

 View Only
last person joined: 19 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Guest Wireless DNS Server

This thread has been viewed 14 times
  • 1.  Guest Wireless DNS Server

    Posted Oct 16, 2020 10:01 PM

    Hello,

     

    We are currently set up with the guest wireless using one of our internal DNS servers. We have an ACL in place to restrict all access from the Guest Wireless other than DNS requests over port 53 to our internal DNS server. 

    Our concern is that even though they don't have access to our internal network, they are able to complete NSlookup requests to our Domain Controller and locate internal IP addresses. The Guest users need to resolve the address to our internal ClearPass Server but once they are authenticated they no longer need to use the internal DNS. Is there a way to allow the Aruba Controller to act as the DNS server for the initial ClearPass Authentication then switch the client over to a public DNS server like 8.8.8.8? Or would it be possible to add a DNS record on the Aruba Controller that can resolve the ClearPass domain name and the clients can use the public DNS server? 

     

    Alternatively, if neither of those will work we are planning to install a standalone DNS server that only holds an A record for the ClearPass server then all other requests are forwarded to a public DNS server (8.8.8.8). 



  • 2.  RE: Guest Wireless DNS Server

    EMPLOYEE
    Posted Oct 17, 2020 07:40 AM

    How many ClearPass Captive Portal Servers do you have?  If you have only one, you can just redirect to that ip address and use a public dns server the whole time.



  • 3.  RE: Guest Wireless DNS Server
    Best Answer

    Posted Oct 17, 2020 10:16 AM

    We have a Publisher/Subscriber setup but they are load balancing an IP so we only have the one ClearPass server. However, we have a publicly signed SSL cert imported for our domain. If they are redirected by IP they will get a certificate error. We need a DNS server to resolve the hostname.domainname.us address so they don't get the cert errors. 



  • 4.  RE: Guest Wireless DNS Server

    EMPLOYEE
    Posted Oct 17, 2020 03:02 PM

    You could have solved it by also embedding the ip address into the san of the certificate.



  • 5.  RE: Guest Wireless DNS Server

    Posted Oct 17, 2020 06:44 PM
    I did not think of that. I will reissue the certificate with the up address
    in the SANs name.

    Thanks,
    Jake

    --


    *-------------------- Email Confidentiality Disclaimer
    --------------------* 
    The information in this e-mail is meant only for the
    personal and confidential use of the recipient above. This communication 
    may contain information which is privileged, confidential and exempt from
    disclosure under applicable law. If the person receiving this message is
    not the intended recipient or you have received this message in error, any
    review, publication, copying or other distribution of this information is
    strictly prohibited. If you received this communication in error, please 
    notify the sender immediately by telephone, return the original message to
    me by mail, destroy any copies you may have made and delete the
    communication from any computer and/or storage media. Thank you for your
    cooperation.


  • 6.  RE: Guest Wireless DNS Server

    EMPLOYEE
    Posted Oct 17, 2020 07:15 PM

    That may or may not work.  Take a look at the Certificates 101 Technote here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33288



  • 7.  RE: Guest Wireless DNS Server

    EMPLOYEE
    Posted Oct 18, 2020 03:19 AM

    Hi,

     

    As far as I know, you no longer can issue a signed certificate with embedded IP address (containing a private IP).

     

    I think a cleaner solution is to have an A record for the ClearPass server that is accessible from external public DNS servers..



  • 8.  RE: Guest Wireless DNS Server
    Best Answer

    EMPLOYEE
    Posted Oct 19, 2020 04:53 AM

    That is correct, you can not have private IP space as IP in a public certificate. It should be possible for public IPs if these are owned by you, it may not be possible if the IP is owned by the ISP. It's highly uncommon to have IP addresses in a certificate, and also not needed.

     

    With a certificate that has a public host-name as SAN, I have for example cppm.nl.arubalab.com as a public certificate, you can still point to a private IP address, even in public DNS. If you look up cppm.nl.arubalab.com now, you will see that the IP resolves to 192.168.32.16, which is a perfectly valid situation as the certificate is validated during issuing typically against a DNS record or domain owner mail address, and you control the DNS records. Just make sure that you have a CA that can issue certificates with a different validation than connecting to the IP address as that is unreachable for the CA.

     

    When published like this in your external DNS, then you can even use a public DNS service from your provider or the well known other like 1.1.1.1, 4.4.4.4, 8.8.8.8, 9.9.9.9 or others all the time.

     

    Some people think that you cannot have certificates pointing to private IP spaces, which is a misconception when using a valid public domain name and DNS. You just cannot have them point to a non-public domain name.

     



  • 9.  RE: Guest Wireless DNS Server

    Posted Oct 19, 2020 02:36 PM

    Thank you Herman, this is exactly what I needed. 



  • 10.  RE: Guest Wireless DNS Server

    Posted Dec 06, 2022 02:42 PM

    Hi,

    @Herman Robers may I ask you something about a point in your answer?

    I´m also dealing with an FQDN which is resolved from a public DNS-Server to a private RFC1918 IP-Address... but a Consulting Engineer told me that it`s illigal and not a typical configuration/solution certainly not in a "productive" Guest Wireless enviroment!

    I don´t want to get in any trouble so should I consider to change that concept?




  • 11.  RE: Guest Wireless DNS Server

    EMPLOYEE
    Posted Dec 07, 2022 03:19 AM
    I have not seen that pointing a public DNS to an RFC1918 address would be illegal or against rules, I agree it may 'feel' weird. What is for sure is that clients on the public internet will not be able to reach your services if DNS points to unroutable IP space, so in that perspective it's not something very widespread. As well you may consider that you are publicly publishing information about your internal IP addressing; but the same would apply for external IP addresses and if someone connects to your guest network they would see the IP addresses as well.

    And the alternative would be that you put your ClearPass server on a public IP address, but block traffic to it from outside in your firewall. I don't really see a difference from pointing to unroutable IP.

    The only thing that I have seen over the past years is that some firewalls (mostly consumer/home/SMB) block DNS responses with RFC1918 addresses, but that is because in small environments it may not be common to resolve private IP across a firewall.

    You may ask the Consulting Engineer for a reference that this is illegal, and base your decision on that.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------