Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass access via Guest network

This thread has been viewed 1 times

  • 1.  ClearPass access via Guest network

    Posted Oct 02, 2014 07:57 AM

    Hello,

     

    I have configured on my controller initial role (for Guest) where I added 2 more rules for HTTP and HTTP access to ClearPass manager. In this case if user connects, he gets the initial role and he is able to get captive portal from ClearPass manager. BUT if I specify in HTTP an IP of ClearPass manager, then I get a window for ClearPass and I am not redirected to CP window. It might be a security issue for us. What is the recommendation? I am using only management port on ClearPass manager, should I use data port for this problem?

     

    Thanks,

    Dusan



  • 2.  RE: ClearPass access via Guest network

    EMPLOYEE
    Posted Oct 02, 2014 08:19 AM

    http should be being redirected as well. Can you post your initial role?



  • 3.  RE: ClearPass access via Guest network

    Posted Oct 02, 2014 08:37 AM

    This is the initial role:

     

    (POD20AW1) #show rights CPG-Login

    Derived Role = 'CPG-Login'
     Up BW:No Limit   Down BW:No Limit
     L2TP Pool = default-l2tp-pool
     PPTP Pool = default-pptp-pool
     Periodic reauthentication: Disabled
     ACL Number = 50/0
     Max Sessions = 65535

     Captive Portal profile = ClearPass-CaptivePortal

    access-list List
    ----------------
    Position  Name           Type     Location
    --------  ----           ----     --------
    1         CP-webACL      session
    2         logon-control  session
    3         captiveportal  session

    CP-webACL
    ---------
    Priority  Source  Destination     Service    Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------     -------    ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    192.168.100.22  svc-http   permit                           Low                                                           4
    2         user    192.168.100.22  svc-https  permit                           Low                                                           4
    logon-control
    -------------
    Priority  Source  Destination              Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------              -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    any                      udp 68    deny                             Low                                                           4
    2         any     any                      svc-icmp  permit                           Low                                                           4
    3         any     any                      svc-dns   permit                           Low                                                           4
    4         any     any                      svc-dhcp  permit                           Low                                                           4
    5         any     any                      svc-natt  permit                           Low                                                           4
    6         any     169.254.0.0 255.255.0.0  any       deny                             Low                                                           4
    7         any     240.0.0.0 240.0.0.0      any       deny                             Low                                                           4
    captiveportal
    -------------
    Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    controller   svc-https        dst-nat 8081                           Low                                                           4
    2         user    any          svc-http         dst-nat 8080                           Low                                                           4
    3         user    any          svc-https        dst-nat 8081                           Low                                                           4
    4         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                           4
    5         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                           4
    6         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                           4

    Expired Policies (due to time constraints) = 0

     

    Dusan



  • 4.  RE: ClearPass access via Guest network

    EMPLOYEE


  • 5.  RE: ClearPass access via Guest network

    Posted Oct 10, 2014 03:56 AM

    Thanks