Security

Reply
Highlighted
New Contributor

Clearpass guest in the DMZ

Hello all, we are setting up a new CPPM guest setup.  We have our cppm vm in our DMZ with a data port in a dmz subnet and our management port on the internal network subnet.  We currently have 2 7240 MCs with our guest SSID internally.  I have it working that when a user connects to our guest network it does bring them to the guest login page.  They put in their email and it gives them a password etc.  They login and it brings me to "Please wait while connected to the network".  After that the page times out and I have no radius requests at all in access tracker.  Any ideas as to why this is happening?  Thanks in advance for everyone's help.  

Highlighted
Super Contributor II

Re: Clearpass guest in the DMZ

Do you have a valid public or valid trusted certificate installed on the controller for the weblogin?

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSA | ACDA | ACEA | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
New Contributor

Re: Clearpass guest in the DMZ

Hey Dustin,

I do have a valid public IP for the data port of my clearpass server and an external DNS record for it.  Thank you for your help!

Highlighted
Super Contributor II

Re: Clearpass guest in the DMZ

I was asking if you had a public certificate signed and issued to the aruba controllers, and do you have it assigned for weblogins?

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSA | ACDA | ACEA | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
New Contributor

Re: Clearpass guest in the DMZ

My fault!  I do not have any type of public cert on the controller as of yet.  Is that something that needs to be done before it will work?

Highlighted
Super Contributor II

Re: Clearpass guest in the DMZ

If the device doesn't trust the certificate presented when the user submits the login information, you wont see the login hit Clearpass. You could test by manually trusting the certificate from the controller and see if it works.  What kinds of devices are you testing with? Do all of them fail at login?

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSA | ACDA | ACEA | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
Aruba Employee

Re: Clearpass guest in the DMZ

Hi Kpomer1,

 

Yes, you need a trusted certificate for the controller to deploy it in a secure manner.

As shown below, the device will post back to the controller in Step 6.

 

ayman_mukaddam_1-1588612694741.png

The address where it should post back is specified in the ClearPass Guest Page. By default, it is securelogin.arubanetworks.com and the controller already has "untrusted" certificate for this. By default, we use https for post back (Use Vendor Default)

 

ayman_mukaddam_0-1588612624851.png

 

You will need to install a trusted certificate on the controller, and update your ClearPass guest page. You need to change the "securelogin.arubanetworks.com" to match the common name for the certificate that you installed on your controller. So if you have a certificate for guest.example.com, then set the same on Clearpass.

 

If you installed a wildcard certificate on your controller *.example.com, then set the captiveportal-login.example.com on ClearPass.

 

Highlighted
New Contributor

Re: Clearpass guest in the DMZ

How would I manually trust the cert?  Just an iphone, mac PC and some laptops.

Highlighted
Super Contributor II

Re: Clearpass guest in the DMZ

Like ayman says above, you will want to get a public certificate signed by a trusted CA like entrust. This way any guest coming into the wireless network can validate it against a trusted root. This is best practice, and a lot of device manufacturers are now implementing more strict security methods to protect users. Apple being one of them.

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSA | ACDA | ACEA | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: