Unable to access ClearPass GUI using FQDN after upgrade from 6.6.9 to 6.6.10

MVP Expert
MVP Expert
Problem:

Unable to access ClearPass​ GUI via FQDN after upgrade from 6.6.9 to 6.6.10. We notice the below error:

 

Same works while trying to access via IP address.



Diagnostics:

This is as per RFC 3986, which claims that underscores are unsafe in server host-names and other elements. 

 

The fix is to ensure that server hostname does not contain underscore. This is because from Apache version: 2.2.32 or 2.4.24 and later, the HttpProtocolOptions is set to Strict rather than Unsafe. As a result of setting HttpProtocolOptions to Strict, it does not allow use of underscore in FQDN of server hostname. This is as per RFC 3986 and fix is to ensure FQDN of server hostname does not have underscore.

 

In ClearPass server version 6.6.9, the httpd version is 2.4.17(therefore allows underscore in server hostname) and in ClearPass server version 6.6.10, the httpd version is 2.4.29(therefore does not allow underscore in server hostname).

 

ClearPass​ server version 6.6.9:

 

 

ClearPass​ server version 6.6.10:

 

Reference link: https://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions 



Solution

Fix is to configure a server hostname(FQDN) which does not contain underscore. 

 

Version history
Revision #:
2 of 2
Last update:
‎09-21-2018 04:14 AM
Updated by:
 
Labels (1)
Contributors
Comments

how does changing the FQDN affect the authentication etc? Since radius certs are issued to the CPPM with CN= to the hostname, simply changing the hostname and not the cert would cause authentication issues isnt it?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: