Security

Hi,

I have still a little problem with CP Guest. When I try to reset my password or access the self service area, I have a browser error " too many browser redirects".

I have read this page http://community.arubanetworks.com/t5/Community-Knowledge-Base/Preventing-too-many-browser-redirects-during-guest-access/ta-p/17173 but I don't know how to apply it to my network. We are using IAP-105 by our customer and they access our CP Guest portal thru the Internet. So I don't know where I need to configure it.

Anyone can help me to solve this. Thanks

Regards

Dimitri

You would need to allow traffic to the ip address of the CPPM box using http and https, if you have not done that already..

Hi,

Here is a diagram of this project, perhaps it would help to clarify the situation :

Where do I need to allow traffic to the CPPM ? In the IAP or in my firewall ?

In the IAP.  Your guests must have an ACL that allow them to go to the ip address of CPPM over HTTP and HTTPS.

Currently I have a Network-based rule that allowed :

- Allow any on server "internal GW ip address"

- Deny any to network "customer internal network"

- Allow any to all destinations

Do the users reach the CPPM on the public ip address?  That is what you need to allow http and https to.

Yes they do.

Now my rules are : 

- Allow any on server "internal GW ip address"

- Allow https on server "CP public ip address"

- Allow http on server "CP public ip address"

- Deny any to network "customer internal network"

- Allow any to all destinations

It makes no differences.

Did this ever work?

Everything works except the reset password and the self service area.

So at what point does the user get the "too many browser redirects" error?

At 2 points :

- when they try to reset password

- when they try to access the self-service area

Is the URL prefix different for self-service and reset password than it is for regular guest access?

Yes it is :

For regular guest access it is : securelogin.arubanetworks.com:8080/guest/...

For self-service and reset password it is : cp01.wi-free.ch/guest/...

Okay.  You get too many redirects because you need to allow http and https traffic to go to whatever the client resolves that is http://cp01.wi-free.ch

I understand but it's not possible in the IAP to use DNS name instead of IP address in the rules, right ?

That is not the problem.  What ip address does that URL resolve to, and can your clients reach it?  Find out what the ip address is..

If not replace link to the self service URL with the public ip address like this http://<public ip address>/guest/whatever....  and permit your client http/https traffic to that ip address...

Ok so the IP address of the URL is the public IP address of my ClearPass server.

I have remplaced the link with the ip address (public IP address of CP server) and permit the traffic for http/https, still the same issue.

Can you reach that URL from a regular computer on the internet?

Yes I can.

Ok I'll do this, thanks.

Dimitri