Cloud Managed Networks

 View Only
last person joined: yesterday 

Forum to discuss all things related to HPE Aruba Networking Central and UXI Network Management, including deployment of managed networks, configuration, best practices, APIs, Cloud Guest, AIOps, Presence Analytics, and other included Applications
Expand all | Collapse all

disable autocomplete username and password ClearPass

This thread has been viewed 27 times
  • 1.  disable autocomplete username and password ClearPass

    Posted May 14, 2024 12:13 PM

    Dear Team,

    Recently, we have identified a vulnerability in the autocomplete field for username and password on our website through ClearPass. Upon inspection, we noticed that the password is set as autocomplete="new-password" in the HTML text, which poses a security risk. To address this vulnerability, it is necessary to modify the text to autocomplete="off".

    I would like to request guidance on the best way to make this change. Should we address it from the ClearPass server or would it be more appropriate to modify the HTML directly? I would appreciate your recommendations on the most effective and secure approach to implement this correction.

    Thank you for your attention and prompt response.

    Best regards,

    Andres Gama



  • 2.  RE: disable autocomplete username and password ClearPass

    Posted May 17, 2024 07:22 AM

    Hi Andreas.

    You should use ClearPass field definition in the form to block the auto-completiion:

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------



  • 3.  RE: disable autocomplete username and password ClearPass

    Posted May 17, 2024 09:36 AM

    Good morning, GorazdKikelj,

    Thank you for responding. I am validating in ClearPass Guest on the "Web Logins" tab, and the indicated option does not appear (I have attached a screenshot with the options that do appear). I would like to know if this configuration is done in ClearPass Guest or in ClearPass Policy Manager.

    Additionally, when I inspect the username field on the login page, it shows as "off", and the password field shows as "new-password". Thank you very much for the information, and I look forward to your assistance. The current version we are using is ClearPass Policy Manager 6.10.0.180076.

    INSPECT USERNAME

    <input id="username" name="username" value="" style="width:200px;" type="text" autocomplete="off">

    INSPECT PASSWORD

    <td class="nwaBody">
        <input type="hidden" autocomplete="new-password" name="F_password" id="Fake_auth_login_password" value="0">
        <input type="password" name="password" id="pw" style="width: 200px;" autocomplete="new-password">
        <input type="password" autocomplete="new-password" value="no-ff-pwmgr-1" style="display:none;">
        <input type="password" autocomplete="new-password" value="no-ff-pwmgr-2" style="display:none;">
        <input type="password" autocomplete="new-password" value="no-ff-pwmgr-3" style="display:none;">
        <input type="password" autocomplete="new-password" value="no-ff-pwmgr-4" style="display:none;">
        <input type="hidden" id="next" name="next" value="">
    </td>




  • 4.  RE: disable autocomplete username and password ClearPass

    Posted May 17, 2024 09:53 AM

    Hi ANdreas.

    Maybe I was not clear enough. You will find global forms field definitions in Guest / Configuration / Pages / Fields.. You should look into specific configuration of form fields for your page so you never wont to redefine default fields but only form copy of the field.

    Best, Gorazd   



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------



  • 5.  RE: disable autocomplete username and password ClearPass

    Posted May 17, 2024 11:57 AM

    Por supuesto, aquí tienes la traducción al inglés:


    Good morning,

    I wanted to inform you that I have found the option to disable autocomplete in the password field in ClearPass Guest. I have checked the corresponding box to deactivate it. However, I would like to confirm if this setting also affects ClearPass Policy Manager.

    When I inspect the elements, I notice that autocomplete still seems to be active. Could you please confirm if the option I selected disables autocomplete for ClearPass Policy Manager?

    I greatly appreciate your assistance.

    Best regards,

    Andres Gama




  • 6.  RE: disable autocomplete username and password ClearPass

    Posted May 17, 2024 01:09 PM

    Hi Andres.

    This option should only affect web form when you disable it. If you disable it on global level, it will affect all forms where it is used.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------



  • 7.  RE: disable autocomplete username and password ClearPass

    Posted May 17, 2024 03:16 PM

    Good afternoon,

    I would like to know how to globally disable this feature. As I mentioned before, the company conducted an audit and found this feature to be a vulnerability. It needs to be disabled across the entire platform.

    Thank you very much.




  • 8.  RE: disable autocomplete username and password ClearPass

    MVP
    Posted May 27, 2024 07:22 AM

    This is the option which Disables Browsers auto-complete.



    ------------------------------
    Shpat | ACEP | ACMP | ACCP | ACDP |
    -Just an Aruba enthusiast and contributor by cases-
    ------------------------------