Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Captive portal pefng domain whitelisting not working

  • 1.  Captive portal pefng domain whitelisting not working

    Posted Oct 27, 2015 09:13 PM

    hi, sorry for a long question :

     

    We have setup a externally hosted captive portal with Radius authentication using campus WLAN wizard.

     

    We have 512AP pfeng firewall installed, and a few domains are whitelisted as a pefng firewall Destination with that destination whitelisted under L3 authorization tab for the captive portal profile.

     

    The whitelisted domains consists of facebook.com, twitter.com, twimg.com, fbcdn.net .. etc common social media sites.

     

    Our WiFi clients are being served splash page, but can only go to facebook.com to complete the authentication if we add "src-https" (which just allows all port 443 to go through) to the AAA pre authentication user role. This unfortunately enables all HTTPS access. If we do not add "src-https" to the pre authentication user role's access control list, the client cannot be forwarded to facebook.com, twitter.com (page load dropped or timedout) even though it is allowed as a whitelisted destionation under L3 authentication.

     

    We have also tried to create an inverted firewall destination rule, which will reject https traffic to all domains other than facebook.com, fbcdn.net, akamaihd.net .. e.g the domains necessary for facebook login . This also does not work.   Without completing the authentication , the client can still access https resources such as https://youtube.com/ as long as the svc-https rule is there (which is needed for them to go onto facebook.com to complete sign in)

     

    We have tried putting the access rule before, after, svc-https, does not change  a thing, domain whitelisting is not working.

     

     

    The situation is as if pefng Destination domains are being ignored , even though we have definitely specified it under AAA pre auth role.

     

     

     

     

    If we allow all https communication to go through, the clients can authenticate properly with facebook, with the correct RADIUS authentication following after that, and everything works. The only isssue we have is we have to allow all HTTPS communication in order for th e client to go to external social media sites. pefng based domain whitelisting is being ignored.

     

     

    we have setup very similar setup before also using the campus WLAN wizard, and we did not have any problem back then. This current setup is behind a switch and all clients are being assigned to vlan id 500. Not sure if that changes anything, but as long as we enable all https communication, everything works.

     

    Is there some other settings we are missing in order to make the controller apply domain based Destionation whitelist. We see the first access role created by the controller already whitelists http/https traffic to the whitelisted domain that we have under stateful firewall -> Destination.

    It seems, access role is only applying ip,port based whitelisting rather than domain based whitelisting.

     

     

     

    thanks

     

     

     



  • 2.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 27, 2015 09:16 PM

    Did you configure a DNS server on the controller and configure ip domain-lookup?

     



  • 3.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 27, 2015 09:21 PM

    thanks. Initially our DNS wasn't resolving. We have added dns-acl to the pre authentication role and that seems to have resolved that issue. We also had to add dhcp-acl, icmp acl to the pre-auth role.

     

     

     

     



  • 4.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 27, 2015 09:24 PM

    Two things:

     

    The controller itself needs to resolve the urls that users are looking up, so you need to do this:

     

    config t

    ip name-server 8.8.8.8

    ip domain-lookup

     

    The USERS will use whatever DNS server they obtain via DHCP, but that is separate from what you need to do above to allow and block domains.



  • 5.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 27, 2015 09:39 PM

    If things are solved, okay, good.



  • 6.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 28, 2015 11:08 AM

    thanks, we will try this today.

     

    Can you please tell us the correct command on the controller to test domain resolution,

    lets say I want to see how the controller itself resolves fbcdn.net , what do I have to type into the console ?

     

     

     

    thanks

     

     

     



  • 7.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 28, 2015 11:14 AM
    You can type ping www.
    Yahoo.com on the controller's command line.


  • 8.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 28, 2015 11:15 AM

    thanks a lot .



  • 9.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 28, 2015 06:26 PM

    We have now set the DNS on the controller to be the same as what the user's phone will get from DHCP.

     

    Now in the ACL, the controller is allowing some domains but is not allowing others. For example, if we whitelist both facebook.com and twitter.com in the ACL; it will only partially allow facebook.com (i.e., some images don't load).

     

    Question: how does the Aruba Controller handle domain based ACLs. How does this work when its a sub-domain of an allowed domain (e.g., mobile.twitter.com). In this case, if twitter.com was in the ACL,how does the controller allow mobile.twitter.com (does it maintain a cache of all lookups as some of these sites have multiple load-balancing IPs).

     

    Thanks.

     



  • 10.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 29, 2015 12:46 PM

    It seems the Aruba Controller needs to be the DNS proxy for the domain based filters to work. Please confirm.

     

    Essentially, the user device must use the controller as the DNS server and the controller will then proxy the requests upstream. Let us know if this is required of the user devices can use a different DNS server? If not, can the user device use a different DNS IP but the requests be NAT-ed to the controller?

     

    thanks

     



  • 11.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 29, 2015 03:56 PM

    hello, can you tell us why we are getting this error :

    (192.168.0.202) (config) #ip name-server 8.8.8.8
    Failed to update domain

    (192.168.0.202) (config) #ip name-server 192.168.0.101
    Failed to update domain

     

    thanks

     



  • 12.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 29, 2015 04:07 PM

    That message is cosmetic, but wrong.  You typically get that message if you already have those name servers configured.

     

    Type "show configuration | include name-server" to see if that is the case.



  • 13.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 29, 2015 04:35 PM

    thanks, it indeed shows now I have 2 DNS servers setup in the controller.

     

    Can you tell me how to  remove the DNS entries from the controller?

    thanks



  • 14.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 29, 2015 04:41 PM

    no ip name-server 8.8.8.8

     



  • 15.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 29, 2015 05:51 PM

    hi, thanks.

    Can you tell me what I am doing wrong. Why is the controller not answering DNS queries :

     

    (config) #show configuration  | include name-server
    ip name-server 8.8.8.8

    (config) #show configuration  | include lookup       
    ip domain lookup

     

    >>> on the client laptop over wifi :

    >>  nslookup google.com  192.168.0.201
    Server:        192.168.0.201
    Address:    192.168.0.201#53
    ** server can't find google.com: REFUSED

     

    I have checked the firewall rule, it is enabling IP number 17 on port 53 , which is UDP for DNS?

    thanks

     

     

     



  • 16.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 29, 2015 06:08 PM

    When you put that config into the controller it gives a warning that a reboot may be required.

    Have you rebooted the controller?  I have always been sceptical of the need for a reboot, but have seen a few cases recently where the DNS lookups on the controller started working after a reboot.



  • 17.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 29, 2015 06:11 PM

    hi Mike, thanks. Yes we have rebooted the controller.

    But after the reboot, it does not want to answer DNS queries.

    We don't have any kind of firewall rule between the wifi client and the controller, it is a direct

    connection via wifi.



  • 18.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 29, 2015 08:42 PM

    hyc,

     

    Did you type "ping www.yahoo.com" on the commandline of the controller?  What is the result ?

     

    Type "show firewall dns-names" to see if any fqdns in an ACL has been resolved by the controller.

     

    (Aruba7640-US) #show firewall dns-names 
    
    FW DNS names
    ------------
    Name                     Id  InUse  List
    ----                     --  -----  ----
    accounts.google.com      1   1      216.58.218.173 216.58.218.109 216.58.218.205 216.58.218.141 216.58.217.205 216.58.216.45 64.233.160.84 
    facebook.com             5   1      31.13.70.1 31.13.77.6 31.13.76.102 31.13.69.197 69.171.230.5 173.252.74.22 
    graph.facebook.com       3   1      31.13.66.1 31.13.65.1 31.13.74.1 
    ssl.gstatic.com          2   1      173.194.115.88 173.194.115.79 173.194.115.95 173.194.115.87 216.58.218.163 74.125.227.247 74.125.227.248 74.125.227.239 74.125.227.255 216.58.218.195 216.58.218.131 173.194.115.24 173.194.115.23 173.194.115.15 173.194.115.31 74.125.227.191 
                                        74.125.227.175 74.125.227.183 74.125.227.184 74.125.227.207 74.125.227.215 74.125.227.216 74.125.227.223 216.58.218.99 173.194.115.47 173.194.115.55 173.194.115.56 173.194.115.63 216.58.217.195 216.58.216.3 
    fbstatic-a.akamaihd.net  4   1      96.17.163.82 96.17.163.64 96.17.163.65 96.17.163.67 96.16.7.74 96.16.7.41 23.72.136.186 23.72.136.98 96.17.163.42 96.17.163.27 96.17.163.33 96.17.163.58 96.17.163.74 
    
    
    


  • 19.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 29, 2015 10:03 PM
    (config) #show firewall dns-names
    
    FW DNS names
    ------------
    Name                  Id  InUse  List
    ----                  --  -----  ----
    mailgun.net           14  1
    twimg.com             11  1      104.244.43.7 104.244.43.103 104.244.43.167 104.244.43.199 104.244.43.231 104.244.43.71 104.244.43.35 104.244.43.163 104.244.43.39 104.244.43.99 104.244.43.195 104.244.43.135 210.163.219.24 104.244.43.131 104.244.43.67 104.244.43.3
    mbna.ca               17  1
    bootstrapcdn.com      13  1      94.31.29.154
    connect.facebook.net  5   1
    facebook.com          3   1      31.13.74.1 69.171.230.5 31.13.71.1 31.13.69.197 31.13.74.3 31.13.74.37
    twitter.com           10  1      199.59.149.230 199.59.148.10 199.59.150.39 199.59.148.82 199.59.148.85 199.59.150.11 199.59.149.198 199.59.150.7 199.59.148.23 199.59.149.201 199.59.150.46 199.16.156.38 199.16.156.230 199.16.156.198 199.16.156.6 199.16.156.70 199.16.156.241

    and ping www.yahoo.com is very strange, I was able to run ping with a domain name before, but

    now it tells me there's an error in the ping command's syntax.

    ping ?
    <target-ip-address>     Send ICMP echo packets to the specified ip address.
    ipv6                    Ping an IPv6 address.
    
    
    #ping yahoo.com
    Incorrect input! Use 'ping <target-ip-address>'


  • 20.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 29, 2015 10:05 PM

    Did you do:

     

    config t

    ip domain-lookup?

     



  • 21.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 29, 2015 11:51 PM

    yes, as you can see :

     

    (config) #show configuration  | include lookup       
    ip domain lookup

     

     

    thanks



  • 22.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 30, 2015 09:20 AM

    Did you reboot after you changed the option?  It will work "sometimes" if you do not reboot.



  • 23.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 30, 2015 10:39 AM

    yes, we have rebooted it , we also made sure we write memory

     



  • 24.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 30, 2015 10:42 AM

    Try doing :

     

    config t

    no ip domain-lookup

    ip domain-lookup

    ip name-server 8.8.8.8

     

     

     

    If that does not work, please open a tac case, because we would need to understand the state of your device to understand what could possibly be happening.



  • 25.  RE: Captive portal pefng domain whitelisting not working

    Posted Oct 27, 2015 09:24 PM

    The thing is, as soon as we allow svc-https everything works. The external portal page redirects the client using DNS name and not IP.  (e.g. clients get redirected to https://graph.facebook.com/oauth/authorize.... via javascript in their mobile browser)