Another ClearPass post for you lovely, lovely readers.
Setting the scene
Imagine if you will that a customer has an “open” guest SSID and wanted to authenticate all guest accounts via a ClearPass captive portal using the same static guest user. They also didn’t want the guest to have to log back in for 12 hours following the initial captive portal authentication.
Sounds pretty simple right? Well, it is very simple but there’s a gotcha in there that you should be aware of. You’ll have to read my ramblings or skip to near the end to find out.
To achieve what the customer wanted I did the following:
- Created a guest user with no expiry
- Created a guest user auth with MAC caching service with corresponding enforcement
- Created a guest user MAC auth service with corresponding enforcement
- Created a guest login page
- Configured the SSID, AAA & roles on the controller
I used the wizard to create the services (I’ll probably get some stick for that). So, you can use the ClearPass service wizard to create service to auth guest and cache their MAC address.
When you do this it’ll create quite a few enforcement policies that you probably don’t need so remember to delete them or remove them from your enforcement profiles.
The wizard create a enforcement profile which sets the MAC auth expiry time to 1 day. That means after a guest logs into the captive portal, they can disconnect and reconnect to the guest SSID and gain network access without logging back into the captive portal for 24 hours.
ClearPass does this by keeping a record of the device that the guest user logged in from in the endpoint repository. Along with the endpoint device, ClearPass writes an attribute call “MAC-Auth Expiry” and populates it with a value which is 24 hours from date the guest user authenticated. Note the format of the date and time in the image of the endpoint attributes below.
OK, so all we need to do now is change the expiry to 12 hours.
Custom Time Config
ClearPass has a time source SQL database. By default the following time attributes are available.
- current time
- 2 hours time
- 1 days time
- 1 weeks time
- 1 months time
- 6 months time
I just used the “2 hours time” attribute as a template and created a “12 hours time” attribute as in the image below.
Next I updated my enforcement profile which sets the MAC-Auth Expiry to reference this new time attribute.
Awesome! Whoa there cowboy. Don’t celebrate prematurely. After making this change guests could MAC auth after authenticating via the captive portal days after the initial auth. Clearly the MAC Auth Expiry wasn’t working.
There were no errors anywhere. The times on all network devices were synced from the same NTP servers and were definitely not out of sync.
I double checked my custom time attribute and noticed there there were duplicates of the same time values but with different names. Probably should have noticed that when I was adding my custom attribute.
A little more digging around and I discovered one time format was in EPOCH and the other in Date/Time. Now we’re getting somewhere. The 12 Hours custom time attribute I created was a integer EPOCH time format.
My Guest MAC Auth service was checking the current time (Now DT) in date/time format to see if it was less than the endpoint device MAC-Auth Expiry which I’d specified in EPOCH format… and current time was always coming out less.
I check the time source and noticed 2 current time attributes:
- Now DT
Now is in EPOCH format and Now DT in date/time format.
I changed my Guest MAC Auth service role mapping policy from referencing Now DT to Now.
Now we’ve got both the time source and the MAC-Auth Expiry in EPOCH format and testing showed that the solution now worked.
Happy to hear if there are other ways to implement this.
FYI I know that using a static guest account isn’t ideal but this was a customer requirement.
ClearPass – TACACS+ Audit logs
So you’ve got ClearPass and have wisely decided to utilise it to secure and monitor your switching infrastructure. You’ve setup TACACS+ on the switches & configured a service on ClearPass (possibly following the awesome guide on the Aruba Solution Exchange). If you’re having problems setting it up head over to the Airheads community and you’ll get some great help over there.
Just a second, if you’re not aware of the Aruba Solution Exchange (ASE) you should really check it out. In fact go there now. Come back when you’ve had a good browse of what’s on offer. Ok, back now?
Right, back on track. TACACS authentication and accounting is now setup and working. You should see the authentication requests in the access tracker and when clicking on the Authorizations tab you’ll see the commands as in the image below:
Now, if you select the accounting record that associated with these requests and go to the Details tab you’ll see the commands again but with a few more details including the privilege level. See below:
If you have your own syslog server and you want (or need) to export these audit trail details you need to head down to the “Syslog Export Filters” under Administration / External Servers. You can manually setup some filters using the pre-defined options and dropdown lists or create custom SQL queries to decide what gets sent to your syslog server.
I couldn’t find exactly what I needed from the pre-defined options.
I wanted to export the following:
- Device changes are being made on
- User making the changes
- Commands being run
- Where the user logged in from
I could see the details I wanted to export but they were in a couple of different tables. Turns out it’s fairly trivial to generate a query which searches a couple of tables..
Here’s the resulting SQL query:
SELECT tips_tacacs_accounting_records.nas_ip,tips_tacacs_accounting_records.user_name,tips_tacacs_accounting_records.remote_address,tips_tacacs_accounting_details.attr_value,tips_tacacs_accounting_details.timestamp FROM tips_tacacs_accounting_details JOIN tips_tacacs_accounting_records on tips_tacacs_accounting_details.session_id=tips_tacacs_accounting_records.id WHERE ((tips_tacacs_accounting_details.timestamp >= --START-TIME--) AND (tips_tacacs_accounting_details.timestamp <= --END-TIME--)) AND (tips_tacacs_accounting_details.attr_name = 'cmd');
I’m by no means a DBA and only provide the information in this blog as a reference. I accept no responsibility if you decide to copy anything off this blog an use it any way. Also I wouldn’t be surprised if there were a more elegant way to achieve this so please post in the comments if you know one.
Using RADIUS to secure your switches
Maybe you’re thinking of securing your switches with RADIUS? Whilst you can certainly authenticate admin users using RADIUS you cannot “log the commands used. It will only log the start, stop, and interim records of that session. This means that if there are two or more administrators logged at any one time, there is no way of telling which administrator entered which commands.”. Plus TACACS+ has been designed for this purpose, RADIUS however has not. More TACACS+ reading.
I’ve been to lots of Aruba Networks events but never HP/HPE. I was pretty impressed by the size of the event.. over 16000 attendees! But when an event is that huge you can’t really see everything, well I couldn’t anyway, it’s just too big. I know you can pick and choose the bits you’re most interested in (wireless I assume?) but I like to soak up as much info as I can and see what’s new in all areas.
It was good to see the Aruba Networks presence there. It wasn’t a huge presence in terms of floor space but they (Dominic Orr) featured in the keynote speeches which surprisingly a large number of people walked out on. Dom did stumble a little in his delivery, which is uncommon for him, so I guess this is why?? Anyone who walked out reading this, please comment why! Maybe it was when HPE tried to give away American Football tickets and were met with.. *tumbleweed*
In terms of technology, presentations etc. I found it really interesting hearing from the HPE Labs team. They’re working on “The Machine” which discards the traditional computer architecture model in favour of a model where memory and storage are one and the same things (amongst other things). The benefits according to the Labs team are “quantum leap in performance and efficiency, while lowering costs over the long term and improving security”.
It was good to see Aruba release their Aruba Beacons management product Aruba Sensor. I would imagine it was a bit of a nightmare
managing Beacons without this… The Sensor will manage 10 or so Beacons and piggy back on your existing wireless. It should be noted that your existing wireless needn’t be from Aruba.
Here’s a Sensor in the wild at the event.
To sums things up I really enjoyed my time at the event. It was great to see the direction that the company is heading & their new products. I hope Aruba features more heavily at the next event.
I feel I must add… In the interest of full disclosure, HPE invited me to go to this event as an Independent Industry Influencer and paid for travel, accommodation and a few little treats but this hasn’t influenced my opinions.
I was disappointed that Aruba Networks Atmosphere 2015 EMEA was cancelled so was glad when I got the opportunity to go to HP Enterprise – Discover London!
Its running for 3 days, 1st – 3rd December, and as you’d expect the seminars and speakers are covering a huge range of technologies.
I’m most interested in the hearing from the wireless speakers but will definitely be checking out as much as possible!
Are you going? What’s your must see seminar?
So you’ve got Clearpass Guest and you want to allow any guest users to connect and register for an account. To stop anyone from accessing the guest network you enable the “Require sponsor confirmation prior to enabling the account” setting. Then perhaps it would be nice to allow the sponsor to be able to extend guest account expiry time when they enable the account…
This is what I was thinking any way.
So I enabled it on my guest registration page:
Excellent! Or so I thought.
It transpires that when you enable sponsor confirmation and enter something into the “Extend Expiration” section any new guest accounts will be automatically enabled!
I had a quick word with Aruba TAC who informed me that this was not a bug and was in fact by design. Hmm. Strange design.
I really wanted this to work the way I assumed it should, so spent a little bit of time playing around with the form settings on the guest registration page.
I modified the “enabled” field as follows:
Set it to enabled, ensure the user interface option is Drop-down list, modify the description if necessary and remove the “1 | Enable visitor account” from the Options.
There we are. You’ll now get the expected behaviour.
Here’s what the Visitor registration page looks like after making this change.
You guest enters their details, clicks register and gets directed to the Visitor receipt page:
Your sponsor will receive the following email:
“Click here” takes you to this page where you can authorize the guest and extend the expiry time if desired.
Your Visitor receipt page will now update to allow the new guest to login…
Note: I hard coded my sponsor email address as we always wanted it to go to the same distribution list.
The purpose of this post is help you understand what to do when certain basic “wireless issues” arise.
This is by no means a comprehensive list and you may have to tailor some things to your site.
This is basic 1st line support so I won’t be delving into the command line goodness.
If one access point is down:
Make a note of what lights on the Access Point are on/flashing/off and what colour they are.
- If the AP is off check the cabling to the PoE switch
If the Power light is red, power cycle the AP but unplugging the network cable from it.
- If it reboots and is still red this may be a faulty AP. See how to reset an AP below.
- If the 11A/N and/or 11B/G/N lights are flashing green, it’s likely that they have not been provisioned. See how to provision an AP below.
- If the 11A/N and/or 11B/G/N lights are green steady, this indicates it’s functioning correctly.
If the 11A/N and/or 11B/G/N lights are off, the AP cannot see its controller. See AP to controller connectivity below.
- Power cycle the access point that has the issue
If all access points are down:
If the customer has Instant APs, this is likely a wired issue.
- Check that the customers switches are all powered on
If the customer has a controller:
- Check that the controller is accessible via it’s web console
- Check that the controller is powered on
- Check that the customers switches are all powered on
Check the cabling between the controller and the rest of the network is good
- Unplug/plug back in
- Swap cables
How to reset an AP
NOTE: to reset an AP you will need physical access to it.
Instant (controller less) APs
- Find a paperclip!
- Turn off the AP by unplugging the network cable from the Ethernet port on the back of the AP
- Hold the reset button down with the paperclip (keep it held down!)
- Plug the network cable back in
- Wait 10 seconds
- Release the reset button
- That’s it. The AP will boot and find the master AP and get its config from there.
The image below shows the back of an AP 105
Thin AP (with controller)
Connect the serial console breakout adapter cable to the AP Ethernet port and your PC/Laptop
Use the default serial settings
Power on the AP and get into apboot mode. You’ll see the option to go into AP boot mode when the AP is booting. You will have to press Enter within a 1-2 second window so pay attention to console messages during bootup.
From the apboot prompt, enter the following commands
apboot> print (To check that the setting were really purged! There should be no identifying IP addresses)
AP to controller connectivity
An AP will use 4 different method to connect to a controller:
- AP Boot command (we don’t tend to do this)
- DHCP option 43 (a DHCP option which contains the IP address of the controller can be configured)
- ADP multicast & broadcast (If APs are on the same layer 2 subnet as the controller they can use this method)
- DNS aruba-master (Create a DNS a record of aruba-master and the APs will use this to find the controller if other methods fail)
So if an AP is failing to connect to the controller it’s a good idea to pull the network cable out of the back of the AP and patch it into your laptop. Run ipconfig and check that you’ve got an IP address in the expected range. If you don’t get an IP address for the correct range or you get an APIPA address then you’ll need to start looking at the wired network.
Also it’s very important that the DHCP DNS Name is configured correctly. AP will try to connect to aruba-master.<DHCP DNS Domain>
Because of this you must ensure that the DNS Domain given out by DHCP matches one of the customers DNS zones and that the zone includes the DNS A record aruba-master that resolves to the IP address of the controller.
How to provision an AP
This is only applicable to thin APs (with a controller). Instant APs will self-provision.
- Login to the controller
- Go to Configuration > AP Installation
The AP that needs provisioning will likely have a U Flag. See below for details of an example of APs with different Flags.
I’ve removed some identifying information from the image, hence the whitespace..
- Select the AP using the tick box on the left and click Provision
- Select the appropriate AP group from the dropdown lost (If not self-explanatory, ask someone who knows!)
- Give the AP a name (copy the standard of the other APs.)
- Click Apply and Reboot.
- Wait a couple of minutes and you should see the AP re-appear in the AP Installation page with the new name you set.