Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

translating the clearpass name for guest without reveling the private network

This thread has been viewed 0 times

  • 1.  translating the clearpass name for guest without reveling the private network

    Posted Jun 26, 2018 09:38 AM

    Hello

    Right now we are using clearpass with a public certificate and well we got in the redirection page on the controller https://CN.domain.com

     

    it works great butt he problem is that if someone does CN.domain.com on his house he will get to know the private network of the clearpass

     

    We dont want that to happen

     

    Suggestions are welcome, if you guys can give me different options would be great.

     

    Cheers

    Carlos



  • 2.  RE: translating the clearpass name for guest without reveling the private network

    EMPLOYEE
    Posted Jun 26, 2018 09:41 AM
    The controller's certificate has no relationship to ClearPass.

    Also, hiding a private IP address is not a security mechanism.


  • 3.  RE: translating the clearpass name for guest without reveling the private network

    Posted Jun 26, 2018 10:02 AM

    Its a requirement of the client, they dont want that if you do clearpass.yourdomain.com to translate to a private network with the public dns...

    Is there a way to do this?

     

    Also why is not a security mechanish i mean, if an attacker will know the private network he needs to attack also one of the ip of the server inside that tnetwork.   Just want to know your opion about this.

     

    Cheers

    Carlos



  • 4.  RE: translating the clearpass name for guest without reveling the private network

    EMPLOYEE
    Posted Jun 26, 2018 10:05 AM
    Use views or the equivalent feature on your DNS server.


  • 5.  RE: translating the clearpass name for guest without reveling the private network

    Posted Jun 26, 2018 10:09 AM

    you mean instead of using the public DNS using their private DNS for it?

    Not sure if they would like that idea, they dont want to use anything of their private network for it. 

     

    I think i read once you saying using a DNS proxy in a router, does that works too?

     

    The controller cannot be use as a dns proxy in anyway ?

     

    Cheers

    Carlos



  • 6.  RE: translating the clearpass name for guest without reveling the private network

    Posted Jun 26, 2018 08:59 PM

    Tim question 

    As far i know 

    when you use the captive portal on the controller redirect the client to secure.arubanetworks.com and somehow its change the securelongin.arubanetworks.com or Certificate CN to the controllers ip address it hijack it somehow

    it is possible to do that but changing it to  clearpass ip address when you redirecting to the clearpass with https://cn.yourdomain.com/guest/webloging.php 

     



  • 7.  RE: translating the clearpass name for guest without reveling the private network

    EMPLOYEE
    Posted Jun 26, 2018 09:01 PM
    The controller captive portal cert CN has nothing to do with the redirect destination.


  • 8.  RE: translating the clearpass name for guest without reveling the private network

    Posted Jun 26, 2018 09:20 PM

    i was telling you that becuase if im using the controllers captive portal  if i do a ping for example to cn.mydomain.com it translate to controllers ip address 

    What i wanted is to do the same but with clearpass ip address. 

     

     



  • 9.  RE: translating the clearpass name for guest without reveling the private network

    EMPLOYEE
    Posted Jun 26, 2018 09:30 PM
    Not really possible as you can't access ClearPass by IP address for guest workflows.