SMTP Auth testing via CLI

Just a quick note to describe the procedure for SMTP auth testing via the command-line. At first you need to encode username and password in Base64. This can be done in several ways. The easiest way would be via https://www.base64encode.org/.

Next you can use the following commando’s via telnet to test SMTP AUTH. I always use OpenSSL to connect to the mail server. OpenSSL give you the option to connect to the mail server using STARTTLS.

1) Connect to the mail server

openssl s_client -starttls smtp -crlf -connect smtp.office365.com:25

2) Send the EHLO command to see which items the server supports

EHLO ME
250-VI1PR0101CA0034.outlook.office365.com Hello [93.95.250.230]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8

3) Start SMTP AUTH

AUTH LOGIN
334 VXNlcm5hbWU6

4) The 334 command tells you to enter the Base64 username. When the correct username is entered, the server responses with “334 UGFzc3dvcmQ6”.
5) Enter the Base64 password. The server responses with a successful or unsuccessful message.

235 2.7.0 Authentication successful target host VI1PR06MB1198.eurprd06.prod.outlook.com

6) Now enter the default command’s to send a mail.

MAIL FROM:<from@domain.com>
RCPT TO:<rcpt-to@domain.com>
DATA
SUBJECT: this is the subject

This is the body of the message
.

ArubaOS 6.5.0.0

The Early Deployment release software from ArubaOS 6.5.0.0 has been released. I looked into the release notes and found some interesting new features.

  • Cellular Handoff Assist is Configurable Per Virtual AP: The cellular handoff assist feature can help a dual-mode, 3G/4G-capable Wi-Fi device such as an iPhone, iPad, or Android client at the edge of Wi-Fi network coverage switch from Wi-Fi to an alternate 3G/4G radio that provides better network access. This setting can now be applied to individual virtual APs via the WLAN virtual-ap profile.
  • Plug and Play 4G USB Modem: ArubaOS 6.5.0.0 supports the USB modem Plug and Play. The controller auto-configures the 4G USB modem as soon as the user plugs in the modem into an AP or a RAP.
  • Support for Secondary AP Master: Starting from ArubaOS 6.5.0.0, seamless connectivity is provided even when the master controller fails, by allowing an access point to terminate on a secondary master controller.
  • Customizing Authentication Reply-Message to Captive Portal Users: ArubaOS 6.5.0.0 introduces the support for customizing authentication Reply-Message to captive portal users in the log-in page for better user experience. The purpose behind the Reply-Message is to return appropriate information to the captive portal system.
  • Multi-Version Licensing: ArubaOS 6.5.0.0 supports multi-version licensing, which allows centralized licensing clients to run a different version of the license than that of the primary and backup licensing servers. If a license is introduced in a newer version of ArubaOS, the primary and backup licensing servers set can still distribute licenses to licensing clients running an older version of ArubaOS, even if the licensing client does not recognize the newer license type.
  • Subscription-Based Web Content Classification License: ArubaOS 6.5.0.0 introduces support for the Web Content Classification (WebCC) license; a subscription-based, per-AP license that supports web content classification features on an AP for the duration of the subscription period (up to 10 years per license).
  • NTP Standalone: NTP standalone feature enables an Aruba controller to act as an NTP server so that the devices that do not have access to Internet can synchronize their clocks. Enabling this feature eliminates the need to provision and maintain another virtual machine on the network.
  • Geo-Location Filtering: Starting from ArubaOS 6.5.0.0, to support IP-classification-based firewall, an IP reputation database containing a list of IP addresses with malicious activities is introduced. This helps in rejecting the traffic sent to or received from those IP addresses classified as malicious based on the policy configured. Using the geolocation IP database, the geographical location of the malicious IP address is also determined, and traffic is permitted or denied after scanning the geography-based rules configured by the administrator.
  • Wi-Fi Calling: ArubaOS 6.5.0.0 supports Wi-Fi Calling in the controller. Wi-Fi calling service allows cellular users to make or receive calls using a Wi-Fi network instead of using the carrier’s cellular network.
  • Blocked Session: Starting from ArubaOS 6.5.0.0, a new tab called Blocked Sessions is added in the Traffic Analysis page. The Blocked Sessions tab displays WebCC and AppRF sessions which are blocked by access control list (ACL) through system logging or that blocked on the WebUI interface.

The release notes can be downloaded here.

ClearPass – concurrent session limit

I tried to configure a restriction to the concurrent number of active sessions a user can have on the wireless network. I found a great article on AirHeads Community “How to deny access for authentication requests based on session limit?

In short the article tells you to:

  1. Edit the Insight Repository
  2. Add more Filiters on the Attributes tab
  3. Enter the following information
    1. Filter Name: sessions
    2. Filter Query: see below
    3. Name: sessions
    4. Alias Name: sessions
    5. Data Type: Integer
    6. Enabled As: Role
  4. Add the Insight Repository as Authorization Source
  5. Create an Enforcement Policy Condition to check the Insight Repository
    1. Type: Authorization:[Insight Repository]
    2. Name: sessions
    3. Operator: GREATER_THAN_OR_EQUALS
    4. Value: <number of allowed simultaneous connections + 1

I configured my ClearPass environment like shown in the article, but I didn’t see any active sessions in the access tracker. The counter remained 0. I connected to the Insight database with the tool pgAdmin to see if the Insight database is updated. The database is updated, so every thing seems to be working.

Be accident I found the solution. The SSID is using EAP-PEAP authentication and users enter there username as <username>@<domain-name>, like rene@booches.nl. This is necessary, because the SSID is configured to work with Govroam. Govroam provides government employees with seamless access to WiFi networks, wherever the service has been made available by participating organisations. To authenticated the users correctly, I configured the CPPM Service with Strip Username Rules.

Strip Username Rules

The SQL query checks the attribute %{Authentication:Username}

select count(*) as sessions from radius_acct where (username = ‘%{Authentication:Username}’) AND end_time is null AND termination_cause is null AND (updated_at BETWEEN (now() – interval ‘1 hour’) AND now());

In the InsightDB the username has the format <username>@<domain-name>, but the attribute %{Authentication:Username} has the format <username>. I saw this “mismatch” while checking the Access Tracker.

ClearPass Access Tracker

I altered the query by changing %{Authentication:Username} into %{Authentication:Full-Username}. After this the session information was correct and I could use the session counter in a Role Mapping or Enforcement Profile to limit the concurrent number of active sessions from a user.

FortiGate – IPSec with dynamic IP

Site-to-site VPN connections are a common way to connect a branch office to the corporate network. In the Netherlands it is still common to have a internet connection at a branch office with a dynamic IP address. The usage of dynamic IP address is not ideal when configuring a site-to-site VPN connection, because the configuration almost always relies on static IP addresses.

I recently configured an IPSec VPN between two FortiGate appliances and the branch appliance is using a dynamic IP address. I used Fortinet’s DDNS feature to configure the VPN.

To configure the branch FortiGate for DDNS, I had to configure the WAN interface to retrieve its IP address via DHCP. Next I configured DDNS.

config system ddns
edit 1
set ddns-server FortiGuardDDNS
set ddns-domain “branche01-booches.fortiddns.com”
set monitor-interface “wan1”
next
end

This can also be done in the GUI.

FortiDDNS

The VPN configuration on the hub firewall for dynamic DNS support is the same as the configuration of a regular VPN connection. The only difference is the configuration of the peer IP address. Instead of a static IP, you configure the DDNS FQDN.

config vpn ipsec phase1-interface
edit “vpn_p1_branche01”
set type ddns
set interface “wan1”
set proposal 3des-sha1
set dhgrp 2
set remotegw-ddns “branche01-booches.fortiddns.com”
set psksecret P$k-VPN!
next
end

And as you can image, this can also be done via the GUI.

FortiDDNS IPSec - HQ

Check the status of the VPN connection via the regular methods like cli (get vpn ike gateway or get vpn ipsec tunnel name <tunnel-name>) or via the GUI.

Cisco ASA: multiple context and capture

Packet captures are very useful for troubleshooting purposes. The Cisco ASA supports packet captures even in multiple context mode. I normally configure packet captures on CLI level. This can be done by configuring an access-list to match the specific traffic you would like to capture. Add the access-list and the specific interface in a capture command. Mostly I download the capture in raw format for further analysis with a tool like WireShark. The capture can be downloaded via TFTP or via a secure connection (HTTPS) to the Cisco ASA firewall.

When running a Cisco ASA in multiple context mode, I always disable the ability to connect directly to a context for management purposes. That way you have to access the admin context for management access, but this also denies the option to download the capture via a secure connection directly from the Cisco ASA traffic context.

The easiest way to download the capture in multiple context mode is via a TFTP transfer from the system context. Check the example command below. The capture is made within the context named contextA and the capture has the name captureA. The following command can be used to download the capture in raw (pcap) format.

copy /pcap capture:contextA/captureA tftp://10.10.10.10/captureA.pcap

You can now analyse the capture with WireShark