Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Guest Access certificate error

This thread has been viewed 38 times
  • 1.  Clearpass Guest Access certificate error

    Posted Jul 15, 2024 03:56 AM

    Hello Everyone!

    We have deployed a Clearpass Guest access, with sponsor approval, everything works smoothly, apart from one major issue, the Portal is not trusted by the Guests.

    How can we make the portal trusted for the Guests?

    Where should we upload a public cert, to the AP which serves the SSID?

    And what should that CERT contain in the CN? I mean the portal is on Clearpass server which has an internal address.

    What is the best practice?

    Thanks in advance,

    Mate



  • 2.  RE: Clearpass Guest Access certificate error

    Posted Jul 15, 2024 08:14 AM

    Check this video series, most relevant Installing the HTTPS certificate on ClearPass, and the Guest section.

    Certificate matching these days works based on the SAN, no longer on the CN, but normally when you request a web server certificate on FQDN the first SAN is set to the CN.

    Because the SAN is set to a FQDN, it's no problem if the ClearPass server is on an internal (private) IP address, as long as you can map a public DNS name (FQDN) to that private IP.

    You will need a certificate for your ClearPass and one for the AP or controller; which is explained in those videos.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Clearpass Guest Access certificate error

    Posted Jul 15, 2024 08:47 AM

    So I have to request a Public Certificate which has the FQDN of the Clearpass server in the SAN field, okay its not a proiblem because I have a wildcard cert.

    And I should create a public DNS record which points to an internal (RFC1918) ip address?   Or how will the client know the address of the Clearpass server?

     

    The same is the case with the AP.

     

    Thank Herman!!

     

     






  • 4.  RE: Clearpass Guest Access certificate error

    Posted Jul 15, 2024 09:26 AM

    If you have a wildcard, you can use the same for ClearPass and the AP; if I'm correct that's also what I have done in the video.

    For ClearPass, you indeed need to have a DNS entry, which can be in a (local) DNS server which is accessible from the guest network (or networks where you use the captive portal from); but putting it in public DNS, indeed with an RFC1918 private IP, that is more reliable as some devices (I've seen iPhones doing that) seem to use a public DNS server or do the DNS resolution even via the cellular network.

    The AP will 'spoof' it's IP when it sees a DNS request for the first SAN of your installed certificate (or captiveportal-login.* for a wildcard cert) through the AP/controller.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Clearpass Guest Access certificate error

    Posted Jul 16, 2024 03:11 AM

    But, a friend of mine told me, registering internal addresses on public DNS records is a kinda bad move, the service provider can even withdraw the NS from us.

    It this really the best practice?

    Allow access to the local DC is simple not possible, because the goal of the GuestWfi is to have a separate and independent internet access from the Internal zones.

    So currently I dont know where to go.

    Thanks your comments!




  • 6.  RE: Clearpass Guest Access certificate error

    Posted Jul 16, 2024 03:24 AM

    Hi

    Most customers I work with either do as Herman mentioned in his response and put one record in the public DNS pointing to an RFC1918 address for the name they use for the guest pages in ClearPass. Could be guestlogin.domain.com.

    Another option is to host a DNS zone on a server that only guests can resolve from, and in this server have the record to resolve the ClearPass IP.

    You can also put ClearPass behind a NAT firewall with external IP, but only opening from the guest network or a reverse proxy. But I have not seen this implemented at any customer.

    Normaly ClearPass is also accessible by several other names like:

    • clearpass.domain.com (Management alias pointing to the publisher)
    • serverxyz.domain.com (One name for each server in the cluster)
    • radiusxyz.domain.com (Alias for RADIUS traffic, with DUR it's good to point to an alias instead of server names)

    All these names must be in the the certificate as SAN or the certificate must be issues to a wildcard *.domain.com and this would in most cases be the easiest way to implement the needed names.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: Clearpass Guest Access certificate error
    Best Answer

    Posted Jul 16, 2024 05:20 AM

    One thing on having private IP in public records is that I've seen some firewalls/DNS servers, in order to protect against DNS Rebinding, can filter out private IP responses from public DNS servers. If your guests use an internal DNS server that has such a protection, you may need to disable that for the domain that you use for the guest captive portal.

    But it's simple for you to test with a domain name that I use:

    % dig cppm.arubalab.com @8.8.8.8
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29358
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; QUESTION SECTION:
    ;cppm.arubalab.com.             IN      A
    
    ;; ANSWER SECTION:
    cppm.arubalab.com.      10834   IN      CNAME   cppm.nl.arubalab.com.
    cppm.nl.arubalab.com.   34      IN      A       192.168.32.51
    
    ;; Query time: 8 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
    

    If this really would be a problem, the large public DNS providers would filter out these responses as it would be a very easy way. Also, expect that it sounds weird, I would not see the issue as you as domain owner put in a pointer to an IP address that has limited accessibility; similar to if you would put in a public IP and firewall traffic to it. Jonas (and others) confirmed that this approach works, and if it feels better for your friend, get a public IP and use that with/without NAT, nothing prevents you from doing that, just don't think it's needed.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: Clearpass Guest Access certificate error

    Posted Jul 16, 2024 05:30 AM

    Thank you for your explanation and your comments, I will get back to you after the implementation.

    BR




  • 9.  RE: Clearpass Guest Access certificate error

    Posted Sep 10, 2024 10:24 AM

    Hello  Herman and Jona!

    Your answer was the solution. It is working with public FQDN and private address.

    Many thanks.