Export StartTLS certificate from SMTP server

While configuring Office365 as the messaging (SMTP) server within Aruba ClearPass, I needed to upload the certificate from the StartTLS session to the certificate trust list from ClearPass. I had to export the certificate for smtp.office365.com via the following OpenSSL command:

openssl s_client -showcerts -starttls smtp -crlf -connect smtp.office365.com:587

After running the command, you will see some output like shown in the image.

openssl starttls

I copied the both parts between BEGIN CERTIFICATE and END CERTIFICATE to two different text editore files and saved them with the extension .cer. Next I was able to upload both certificates to the certificate trust list in ClearPass and configure the message server with StartTLS Connection Security

Provision Aruba AP via CLI

Below you will find the necessary commands to provision an Aruba access-point via CLI. The commands add the access-point to the AP whitelist and provision the AP in the correct ap-group. Adding the AP to the whitelist is necessary when using control-plane security.

whitelist-db cpsec add mac-address “94:b4:0f:c4:7e:98” description “ap01”
whitelist-db cpsec modify mac-address “94:b4:0f:c4:7e:98” cert-type factory-cert state certified-factory-cert
clear provisioning-ap-list
provision-ap read-bootinfo ap-name “94:b4:0f:c4:7e:98”
provision-ap copy-provisioning-params ap-name “94:b4:0f:c4:7e:98”
provision-ap installation indoor
provision-ap no external-antenna
provision-ap server-name “aruba-master”
provision-ap ap-group “corp-01”
provision-ap ap-name “ap01”
provision-ap no syslocation
provision-ap no remote-ap
provision-ap reprovision ap-name “94:b4:0f:c4:7e:98”
clear provisioning-ap-list
clear provisioning-params

Aruba MAS – Tunneled node

Today I played a bit with an Aruba Mobility Access Switch with Tunneled Node configuration to a Aruba Mobility Controller. More information on Tunneled Node can be found here.

The configuration is straight forward. You need to configured a tunneled-node profile on the MAS and associate the access ports on the MAS to a VLAN, which is also present on the controller. I already have a controller in place and I would like to use some access ports for guest users with captive portal capabilities. I already setup a SSID with captive portal capabilities, so I use the same AAA profile on the controller for the tunneled-node clients.

I created the following configuration on the Aruba MAS.

controller-ip vlan 75
interface-profile tunneled-node-profile “tunnel-prof”
mtu 1300
interface-profile switching-profile “vl150-prof”
access-vlan 150
interface-group gigabitethernet “vl150-group”
apply-to 0/0/1-0/0/22
tunneled-node-profile “tunnel-prof”
switching-profile “vl150-prof”

The IP-profile defines the controller-ip of the MAS and the default-gateway configuration to access the Aruba controller ( A switching profile is configured with access vlan 150 and the tunneled-node and switching-profile are bound to switch ports 0/0/1 to 0/0/22.

On the controller you only need to enable wired access and assign the AAA profile, which you also use for the guest SSID.

aaa authentication wired
profile “guest-aaa_prof”

A guest devices gets an IP address assigned from VLAN 150, located behind the corporate Aruba Mobility Controller when I connect a device to switch port 0/0/1. The guest-aaa_prof is assigned to the device/user. This redirects the user to the captive portal to enter login credentials. You can also configure user derivation to assign different VLANs to the connected devices behind the Aruba MAS.

ProCurve – Secure Management

Managing networking components is possible via a web interface or via a command-line interface. It doesn’t matter which method you prefer, but it does matter that the connection should be secure. If you use telnet (cli) or http (web interface) the management traffic is send clear-text across the network.

I still notice that a lot of people use insecure communiction methods. It is preferred to use ssh (cli) or https (web interface) to manage your components. The commands below can be used with HP ProCurve components to enable ssh and https and disable telnet and http management protocols.(The key size depends on the type of component and firmware version used)


switch01(config)# crypto key generate ssh rsa bits 2048
switch01(config)# ip ssh
switch01(config)# no telnet-server

Web Interface

switch01(config)# crypto key generate cert rsa <1024|2048>
switch01(config)# crypto host-cert generate self-signed
Validity start date [02/16/2015]:
Validity end date   [02/16/2016]: 09/23/2320
Common name          []: switch01.booches.local
Organizational unit  [Dept Name]: ICT
Organization      [Company Name]: Booches
City or location          [City]: Bocholtz
State name               [State]: Limburg
Country code                [US]: NL
switch01(config)# web-management ssl
switch01(config)# no web-management plaintext

Next to using secure protocols, it is preferred to create unique credentials for every administrator. One way to create unique credentials is by configuring RADIUS / TACACS authentication. A common way is you configure RADIUS between the switch and the Active Directory. The following commands can be used to configure RADIUS on HP ProCurve switches.

switch01(config)# radius-server host key <shared key>
switch01(config)# radius-server host key <shared key>
switch01(config)# aaa authentication web login radius local
switch01(config)# aaa authentication web enable radius local
switch01(config)# aaa authentication ssh login radius local
switch01(config)# aaa authentication ssh enable radius local
switch01(config)# aaa authentication login privilege-mode

FortiGate – debug flow

You can use the diagnose debug flow commands to do a policy simulation. An example of the output:

fw01 (root) # diagnose debug enable

fw01 (root) # diagnose debug flow show console enable
show trace messages on console

fw01 (root) # diagnose debug flow filter addr

fw01 (root) # diagnose debug flow trace start 5

You can stop the trace with the following commands:

fw01 (root) # diagnose debug flow trace stop

fw01 (root) # diagnose debug flow show console disable
do not show trace messages on console

fw01 (root) # diagnose debug disable