ClearPass & MobileIron – Error: not well-formed (invalid token)

This post isn’t going to describe what HPE Aruba ClearPass or MobileIron is. And neither will it describe the configuration steps necessary to add MobileIron to ClearPass, but I will give a short summary:

  1. Add the MobileIron VSP to ClearPass as Endpoint Context Server (CPPM – Administration – External Servers);
  2. The account on MobileIron needs API rights to enable ClearPass to retrieve information from MobileIron;

This post tells a bit more about an error message I suddenly started to receive in the CPPM Eventy Viewer.

CPPM - MDM - invalid token

Error: not well-formed (invalid token)

I checked the internet, but I couldn’t find any useful information. I opened a TAC case to look into this error. The TAC engineer told me he had seen this error before, where MobileIron sends invalid token characters to ClearPass. He told me that CPPM does batch processing of the devices and the entire batch fails when CPPM doesn’t understand special characters. He also told me how to see which device is causing the problem.

You have to collect the CPPM logs (CPPM – Administration – Server Manager – Server Configuration – Collect Logs). After you untar the tar.gz file, you should look at the directory “strange string”\PolicyManagerLogs\mdm\MI\mdm-server and you should open the file 0.xml.bak.

Scroll down to the line mentioned in the error message and you will see something like below. I always use Notepad++ to open the file.

CPPM MDM - XML Error

CPPM doesn’t understand these special characters in the key. When you start scrolling up, you can determine which device in MobileIron triggers the error message in CPPM.

After I found the device in MobileIron I checked every setting on the device to find the special character, but I couldn’t find one. In the end there was only one solution for me: retire the device. This basically means remove the device from MobileIron and the user needs to reprovision the device in MobileIron. The sync between CPPM en MobileIron was successful again after I retired the device.

Tip of the week: I guess you aren’t always looking at the Event Viewer for errors, so maybe it is useful to configure ClearPass Insight to send a notification if a System Error Event occurs!!!

FortiMail – Howto configure DLP

The previous post showed the steps necessary to enable DLP. This post describes the workflow to configure DLP. I needed DLP to relay outbound messages to a specific mail relay based on header information.

At first I create a DLP rule to define the matching conditions. I match specific header information, which is added to a message by the internal MS Exchange server.

DLP Rule

You can match multiple conditions, like subject, recipient, sender, body or attachments and you can also use regular expressions. This makes it very powerful to match specific or multiple characteristics from a message. You can also add exceptions to the DLP rule.

The next steps involves creating a DLP Profile. The DLP profile sets the action, when the DLP rule is matched. You need to specify a default action and you can overwrite is by defining specific actions for specific DLP rules. I create an action to deliver mail to an alternate host. The action can be configured from the DLP profile pane or you can configure the action under the Content Profile Actions. I needed to configure an outbound action, which needs to be created under the Content Profile Action.Relay Action

I use the above action as default in the DLP Profile and set my scan rule to use the default action.

DLP Profile

The DLP profile can be assigned to an IP Policy or Recipient Policy. I need to relay message in the outbound direction, so I create an Outbound Recipient Policy and assign the DLP profile.

FML DLP Recipient Policy

FortiMail – Howto enable DLP

FortiMail has the option to use Data Loss Prevention as enhanced security mechanism. This feature is introduced in firmware 5.3, according to the release notes. By default the DLP option is not visible on the GUI.

FortiMail - No DLP

DLP can be enabled via the CLI, but it is a well hidden feature. The option can be enabled from the “system global” configuration. When you do a “get” or “set ?” from the “system global” menu, you don’t see the option, but you are able to type it manually.

mail # config system global

mail (global) # set data-loss-prevention enable

mail (global) # end

This enables DLP and adds a new configuration menu to the GUI.

FortiMail - DLP enabled

SMTP Auth testing via CLI

Just a quick note to describe the procedure for SMTP auth testing via the command-line. At first you need to encode username and password in Base64. This can be done in several ways. The easiest way would be via https://www.base64encode.org/.

Next you can use the following commando’s via telnet to test SMTP AUTH. I always use OpenSSL to connect to the mail server. OpenSSL give you the option to connect to the mail server using STARTTLS.

1) Connect to the mail server

openssl s_client -starttls smtp -crlf -connect smtp.office365.com:25

2) Send the EHLO command to see which items the server supports

EHLO ME
250-VI1PR0101CA0034.outlook.office365.com Hello [93.95.250.230]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8

3) Start SMTP AUTH

AUTH LOGIN
334 VXNlcm5hbWU6

4) The 334 command tells you to enter the Base64 username. When the correct username is entered, the server responses with “334 UGFzc3dvcmQ6”.
5) Enter the Base64 password. The server responses with a successful or unsuccessful message.

235 2.7.0 Authentication successful target host VI1PR06MB1198.eurprd06.prod.outlook.com

6) Now enter the default command’s to send a mail.

MAIL FROM:<from@domain.com>
RCPT TO:<rcpt-to@domain.com>
DATA
SUBJECT: this is the subject

This is the body of the message
.

ArubaOS 6.5.0.0

The Early Deployment release software from ArubaOS 6.5.0.0 has been released. I looked into the release notes and found some interesting new features.

  • Cellular Handoff Assist is Configurable Per Virtual AP: The cellular handoff assist feature can help a dual-mode, 3G/4G-capable Wi-Fi device such as an iPhone, iPad, or Android client at the edge of Wi-Fi network coverage switch from Wi-Fi to an alternate 3G/4G radio that provides better network access. This setting can now be applied to individual virtual APs via the WLAN virtual-ap profile.
  • Plug and Play 4G USB Modem: ArubaOS 6.5.0.0 supports the USB modem Plug and Play. The controller auto-configures the 4G USB modem as soon as the user plugs in the modem into an AP or a RAP.
  • Support for Secondary AP Master: Starting from ArubaOS 6.5.0.0, seamless connectivity is provided even when the master controller fails, by allowing an access point to terminate on a secondary master controller.
  • Customizing Authentication Reply-Message to Captive Portal Users: ArubaOS 6.5.0.0 introduces the support for customizing authentication Reply-Message to captive portal users in the log-in page for better user experience. The purpose behind the Reply-Message is to return appropriate information to the captive portal system.
  • Multi-Version Licensing: ArubaOS 6.5.0.0 supports multi-version licensing, which allows centralized licensing clients to run a different version of the license than that of the primary and backup licensing servers. If a license is introduced in a newer version of ArubaOS, the primary and backup licensing servers set can still distribute licenses to licensing clients running an older version of ArubaOS, even if the licensing client does not recognize the newer license type.
  • Subscription-Based Web Content Classification License: ArubaOS 6.5.0.0 introduces support for the Web Content Classification (WebCC) license; a subscription-based, per-AP license that supports web content classification features on an AP for the duration of the subscription period (up to 10 years per license).
  • NTP Standalone: NTP standalone feature enables an Aruba controller to act as an NTP server so that the devices that do not have access to Internet can synchronize their clocks. Enabling this feature eliminates the need to provision and maintain another virtual machine on the network.
  • Geo-Location Filtering: Starting from ArubaOS 6.5.0.0, to support IP-classification-based firewall, an IP reputation database containing a list of IP addresses with malicious activities is introduced. This helps in rejecting the traffic sent to or received from those IP addresses classified as malicious based on the policy configured. Using the geolocation IP database, the geographical location of the malicious IP address is also determined, and traffic is permitted or denied after scanning the geography-based rules configured by the administrator.
  • Wi-Fi Calling: ArubaOS 6.5.0.0 supports Wi-Fi Calling in the controller. Wi-Fi calling service allows cellular users to make or receive calls using a Wi-Fi network instead of using the carrier’s cellular network.
  • Blocked Session: Starting from ArubaOS 6.5.0.0, a new tab called Blocked Sessions is added in the Traffic Analysis page. The Blocked Sessions tab displays WebCC and AppRF sessions which are blocked by access control list (ACL) through system logging or that blocked on the WebUI interface.

The release notes can be downloaded here.