Security

I have custom php page hosted in clearpass public directory. All codes are html, but I have few lines using php.

 

With clearpass 6.4, php tag is no longer supported.  Basically what I want to achieve is pass the page url to href in <a></a> link in the same webpage. Is there a workaround on using php? or any other alternative scripting language supported by clearpass 6.4?

 

I mean clearpass 6.5.

I would post an example of your code

php code:

<?php

?>

this is broken on clearpass 6.5

 

 

 

 

Not broken, but removed, according to the release notes with 6.5.  Are you trying to do something before login or after login?

Before login, I have some customization script...I capture the page url   https://cppm.com?mac=xxxx and

use php to write this code on the page link.  Since php is not supported anymore, my custom captive portal page is broken.

 

Is there a workaround on this issue?

There is not a workaround for this, unfortunately.

Actually, there is a workaround. Just know that you are exposing your system to potential security risks by re-enabling the {php} feature. We suggest that you find another way to accomplish what you need.

 

Within CP Guest, go to Administration > Plugin Manager. Click Configuration under Kernel Plugins > Kernel. For the item Template Scripting you will find three choices. These choices control the usage of {php} tags.

 

Secure (the default, prevents usage of {php} tags)

Insecure - Enable templating engine (allows use of {php} tags)

Warn - Allow but log usage of restricted calls (self explanatory)

Will enabling this option allow php code in a page in https://cppm/guest/public/test.php to run? 

I enable this option but it does run the php code in test.php. 

 

Its working now. I have to restart the clearpass.

Hi,

 

I am using a piece of PHP code to do the samething as well as part of a custom landing page for our guest network.

 

This code was to allow the MAC information to be passed between pages.

 

If it is advisable to not enable the execution of PHP code, is there another way of accomplishing this without getting rid of the custom landing page?

 

Cheers

 

Bourne,

 

You did not mention specifically what you are trying to accomplish with your custom landing page or passing mac info between two pages.

Sorry I should have gone into more detail! 

 

One the issues that I discovered after implementing our custom portal page was that the MAC information that is added in the address bar after the initial redirect is not available once you navigate away from that initial page. When Onboarding, I found that without the MAC information in the address bar the CPPM application log reports the following warning

 

I was using PHP code provided by @cappalli to capture the MAC information in a variable and pass it along to the other pages available off the custom portal page. It was working great, but noticed with the latest CPPM update it wasn't working anymore. I understand why now though. I found the note in the release notes about diabling the smarty tags.

 

I am now looking for a way to handle this issue. I am looking at javascript currently to replace the PHP code. Or I may look at transitioning our Onboarding page away from our public guest portal to our secure employee ssid as per Aruba's suggested model.

 

Our Onboarding has been handled by the unsecure SSID to secure SSID model, but maybe it is time to change. By changing it I can do away with the custom portal all together and just have it land on an Onboarding page.

 

It has been a little while since I have been able to look at all the new options in CPPM so I am probably out of touch with all that is possible.

 

Cheers

Hm. You shouldn't need that anymore since the MAC is available to any page during the process. Are all of the pages in the sequence hosted on ClearPass?

Seriously? That sounds excellent!

 

Yes, all the pages are hosted on the CPPM.

The first page that get's redirected to is available from /guest/public/ location. Not sure if this has anything to do with it?

 

On that page I also have some javascript code that will detect mobile devices and redirect to a mobile specific page under /guest/public.

 

I have since removed the PHP code that was capturing the MAC address information since it was completely breaking the redirection. During my test today I didn't see the MAC address information at all. The warning message I posted above is from a device I Onboarded today. 

 

Maybe I am not deploying these pages correctly or missing a configuration? Does the MAC information display in the same manor it did under the previous versions?

It won't appear in the URL on the second page, but it's stored as a variable in the template engine.

 

You can test this by adding this code to the second page (in the header or footer) and seeing if it returns your MAC address:

 

show extra_fields:
{dump var=$extra_fields export=html}
</p>

Awesome thank you!

I will give that a try when I get into the office tomorrow.

 

In order to pass the MAC address information along during the onboard do I need to do something specific to get the page to pass it along with the onboard request? Or is this something that is handled automatically by the template?

It *should* happen automagically in the background as long as the first page that has the URL parameter is served up by ClearPass and is a php page. 


Thanks, 
Tim

 That is good to know.... Both my pages are PHP, but I don't want to rule out that I have a coding error somewhere on the page that could be causing a problem.

 

But I won't speculate to much until I can run your test tomorrow. Once I know what is going on there I will report back!

 

Thanks for the info and troubleshooting steps! Hopefully will have more info tomorrow.

I just wanted to provide a little diagram of the flow of the pages.

Our Onboard process involves the users connecting to our guest network, they are then redirected to our custom portal page, they then click a link which brings them to our Onboarding page. Diagram below illustrates this process:

*note* I should mention that the welcome.php is the page handling the mobile redirection. This is acheived with some javascript.

 

I added the code suggested to the "onboard.php" page.

From a laptop:

When I tested from the laptop, when I first land on welcome.php the information is in the address bar

When I navigate to onboard.php the address bar no longer contains the information and the ouput from the code shows a value of "1"

 

From an Android phone:

The behavior is similar on an Android phone with the exception that there is never any information in the address bar. I can only assume that the MAC information is being lost because of the redirect from welcome.php to mobile.php.

On the Android phone the code output is the same as shown above.

 

I must be confusing the template somewhere along the line with the custom portal page. Maybe it doesn't get a chance to correctly store the MAC information?

Is the welcome page a raw PHP page that you uploaded to the public directory
or is it configured as a ClearPass page?

Both the welcome page and mobile page are raw php pages uploaded through the content manager system. They were not designed through the ClearPass itself.

That would be the next thing to try. Take your code and create a new page
under Pages > Web Pages and add your code there. These pages use the
template engine.

Ah okay. I will give this a try. It might take me a little bit to set this up.

I will report back once I am able to test!

 

Thank you

Sorry for the delay in response.

I was finally able to get some time to create the web page.

 

I ended up needing to strip out all of the javascript I had on the page as it appears the web pages do not support javascript created from within CPPM.

 

I modified the page to have a single link that links to the onboard page.

It appears that the MAC address information is not being passed to the onboard page even when using a page created from the section mentioned.

 

The only other thing I can think to try is to create a very basic HTML page that contains a single link to the Onboard page and see if the MAC address information is able to be passed.

 

Hi,

 

So I managed to find a way to do the same thing the PHP code was doing, but using Javascript.

I did not write this code, I had help from a Java developer where I work.

 

In the top of your HTML page define your javascript section.

 

<script type="text/javascript">

</script>

Next, we define a function that will capture the portain of the URL we want to carry forward to the next page. The URL you define should be the page that you want to link to.

 

 

<script type="text/javascript">
function redirectURL()
{
     var res = document.URL.split('?');
     window.location = 'https://page.mycompany.com/guest/GuestRegistration.php?' + res[1];
}
</script>

 

 

Then, in my case I was using an <a href..>  to provide a link to the guest registration page. Modify the link to call the javascript function.

 

<a href="#" onclick='return redirectURL();'>Guest Registration Page</a>

 

 

You can then create multiple functions based on the number of links you need to carry the MAC information forward on. I know this isn't as pretty as the built in system that @cappalli is talking about. But it will do the trick to get you past your initial landing page.

 

And as a result of doing this, the built in Aruba solution can then take over on the next page, as long as you are hitting one of their builtin pages. In my case I am hitting an Onboard page generated by Aruba.

 

When I dumped the contents of the variable below on the linked page as @cappalli described, I could see that it contained all the important information about the device.

{dump var=$extra_fields export=html}

 

Thanks @cappalli for your information it was great help.

 

 

Actually, there is a workaround. Just know that you are exposing your system to potential security risks by re-enabling the {php} feature. We suggest that you find another way to accomplish what you need.

 

Within CP Guest, go to Administration > Plugin Manager. Click Configuration under Kernel Plugins > Kernel. For the item Template Scripting you will find three choices. These choices control the usage of {php} tags.

 

Secure (the default, prevents usage of {php} tags)

Insecure - Enable templating engine (allows use of {php} tags)

Warn - Allow but log usage of restricted calls (self explanatory)

 

It looks like this is no longer the case since at least version 6.8.6.

 

I had an old php tag lingering and things broke after the upgrade due to use of the tag.

 

Fortunately, I didn't need it anymore.