ClearPass – dual interface and routing

When you are using both interfaces on a ClearPass server (MGMT and DATA) than ClearPass uses the DATA interface to connect to services, like LDAPS to Active Directory, SMTP delivery, Active Directory joining and more. ClearPass uses the DATA interface as default gateway if no specific route is available on the MGMT interface.

That being said, you have the option to add routes to the ClearPass routing table. Routes are added via the ClearPass shell. Use the following command to add a route.

Usage:

network ip add <mgmt|data|greN|vlanN> [-i <id>] <[-s <SrcAddr>] [-d <DestAddr>]> [-g <ViaAddr>]

Where:

  • greN — Name of the gre tunnel where N corresponds to the gre
    tunnel number ranging from 1,2,3…N
  • vlanN — Vlan interface where N corresponds to the vlan id ranging from 1,2,3…N. For example if the configured vlan identifier is ’85’ then input ‘vlan85’
  • -i — Optional parameter. Id of the network ip rule. If unspecified the system will auto generate the Id
  • -s <SrcAddr> — Optional parameter. The source interface ip address or netmask from where the network ip rule is specified. The allowed values are valid IP Address or Netmask or ‘0/0’
  • -d <DestAddr> — Optional parameter. The destination interface ip address or netmask where the network ip rule is specified. The allowed values are valid IP Address or Netmask or ‘0/0’
  • -g <ViaAddr> — Optional parameter. The via or gateway ip address through which the network traffic should flow. The allowed value is valid IP Address

An example:

[appadmin@CPPM01]# network ip add mgmt -d 10.10.10.0/24 -g 20.20.20.1
INFO – Added route for destination=10.10.10.0/24 via=20.20.20.1
INFO – New ip rule created with the id = 12000

You can check the routing table via the command: network ip list.

AirWave & VMware Tools installation

It is recommended to install the VMware Tools before running the AMP setup. After deploying the AMP ova file and starting the VM, you can interrupt the installation process via CTRL+C. This gives you access to the AMP shell. Use the following steps to install VMware Tools on a HPE Aruba AirWave Management Platform appliance:

  1. From the VMware vSphere Client, open the console to the VM and select VM – Guest – Install/Update VMware Tools;
  2. Type mkdir -p /media/cdrom
  3. Mount the CD-ROM via mount /dev/cdrom /media/cdrom
  4. Copy the installation file cp /media/cdrom/VMwareTools-*.tar.gz /tmp
  5. Unmount the CD-ROM umount /media/cdrom
  6. Extract the installation file cd /tmp; tar -zxvf VMwareTools-*.tar.gz
  7. Run the VMware Tools setup and install script by typing /tmp/vmware-tools-distrib/vmware-install.pl –default (2x hyphen)

The installation will take a few minutes. After the installation is finished you can restart the VM via the command init 6 or reboot.

Check the VMware Tools installation after the reboot by interrupting the AMP installation again and type the command vmware-toolbox-cmd -vThis will give you information about the installed version of VMware Tools.

You can now start the AMP installation again via the command /root/amp-install.

Aruba ClearPass – Cisco Prime – TACACS+

When using Cisco Prime you have the option to configure authentication to a remote AAA server via RADIUS or TACACS+. Today I configured Cisco Prime to use HPE Aruba ClearPass as remote AAA server based on the TACACS+ protocol. The configuration of an AAA server in Cisco Prime is very straightforward. Configure the AAA Mode Setting under Administration / Users / Users, Role & AAA / AAA Mode Settings. The next step involves adding HPE Aruba ClearPass as TACACS+ servers via the option menu Administration / Users / Users, Role & AAA / TACACS+ Servers.

I configured a TACACS+ service in ClearPass with a very basic Enforcement Profile. In the beginning I used the same Enforcement Profile, which I also use to enforce privilege level 15 to switches and routers. Authentication will fail at this point. In the Access Tracker I get the following error message:

Tacacs service=NCS:HTTP not enabled

And the login screen from Cisco Prime shows me the following error message.

I created a new Enforcement Profile and added the TACACS+ service NCS:HTTP to the Enforcement Profile. Now I see an access granted in the Access Tracker, but I still get the same error message on the Cisco Prime website. After some digging in Cisco Prime I noticed that Cisco Prime needs to receive TACACS+ attributes from the AAA server to grant access and assign privileges and tasks to the user.

First you need to get the TACACS+ attributes from the Virtual Domain configuration. In the menu options navigate to Administration \ Users \ Virtual Domains. At the upper right corner you have the option to “Export Custom Attributes”.

These attributes need to be configured in ClearPass. As you notice you also need to configure these attributes if you would like to use RADIUS as authentication protocol. You also need to add the attributes from the user group. Navigate to Administration / Users / Users, Role & AAA / User Groups. Click the “Task List” option next to the User Group you would like to use. I use Root in this example.

The User Group Root contains 194 tasks, which need to be added to the Enforcement Profile in ClearPass. Below you see a snippet from the Enforcement Profile configuration.

To make it easy for you, I exported the Enforcement Profile including all the 194 tasks for the Root User Group. You can download the Enforcement Profile in XML format below. Just import the profile into ClearPass and you are good to go!!!

Download here: Cisco Prime Enforcement Policy

ClearPass & MobileIron – Error: not well-formed (invalid token)

This post isn’t going to describe what HPE Aruba ClearPass or MobileIron is. And neither will it describe the configuration steps necessary to add MobileIron to ClearPass, but I will give a short summary:

  1. Add the MobileIron VSP to ClearPass as Endpoint Context Server (CPPM – Administration – External Servers);
  2. The account on MobileIron needs API rights to enable ClearPass to retrieve information from MobileIron;

This post tells a bit more about an error message I suddenly started to receive in the CPPM Eventy Viewer.

CPPM - MDM - invalid token

Error: not well-formed (invalid token)

I checked the internet, but I couldn’t find any useful information. I opened a TAC case to look into this error. The TAC engineer told me he had seen this error before, where MobileIron sends invalid token characters to ClearPass. He told me that CPPM does batch processing of the devices and the entire batch fails when CPPM doesn’t understand special characters. He also told me how to see which device is causing the problem.

You have to collect the CPPM logs (CPPM – Administration – Server Manager – Server Configuration – Collect Logs). After you untar the tar.gz file, you should look at the directory “strange string”\PolicyManagerLogs\mdm\MI\mdm-server and you should open the file 0.xml.bak.

Scroll down to the line mentioned in the error message and you will see something like below. I always use Notepad++ to open the file.

CPPM MDM - XML Error

CPPM doesn’t understand these special characters in the key. When you start scrolling up, you can determine which device in MobileIron triggers the error message in CPPM.

After I found the device in MobileIron I checked every setting on the device to find the special character, but I couldn’t find one. In the end there was only one solution for me: retire the device. This basically means remove the device from MobileIron and the user needs to reprovision the device in MobileIron. The sync between CPPM en MobileIron was successful again after I retired the device.

Tip of the week: I guess you aren’t always looking at the Event Viewer for errors, so maybe it is useful to configure ClearPass Insight to send a notification if a System Error Event occurs!!!

ArubaOS 6.5.0.0

The Early Deployment release software from ArubaOS 6.5.0.0 has been released. I looked into the release notes and found some interesting new features.

  • Cellular Handoff Assist is Configurable Per Virtual AP: The cellular handoff assist feature can help a dual-mode, 3G/4G-capable Wi-Fi device such as an iPhone, iPad, or Android client at the edge of Wi-Fi network coverage switch from Wi-Fi to an alternate 3G/4G radio that provides better network access. This setting can now be applied to individual virtual APs via the WLAN virtual-ap profile.
  • Plug and Play 4G USB Modem: ArubaOS 6.5.0.0 supports the USB modem Plug and Play. The controller auto-configures the 4G USB modem as soon as the user plugs in the modem into an AP or a RAP.
  • Support for Secondary AP Master: Starting from ArubaOS 6.5.0.0, seamless connectivity is provided even when the master controller fails, by allowing an access point to terminate on a secondary master controller.
  • Customizing Authentication Reply-Message to Captive Portal Users: ArubaOS 6.5.0.0 introduces the support for customizing authentication Reply-Message to captive portal users in the log-in page for better user experience. The purpose behind the Reply-Message is to return appropriate information to the captive portal system.
  • Multi-Version Licensing: ArubaOS 6.5.0.0 supports multi-version licensing, which allows centralized licensing clients to run a different version of the license than that of the primary and backup licensing servers. If a license is introduced in a newer version of ArubaOS, the primary and backup licensing servers set can still distribute licenses to licensing clients running an older version of ArubaOS, even if the licensing client does not recognize the newer license type.
  • Subscription-Based Web Content Classification License: ArubaOS 6.5.0.0 introduces support for the Web Content Classification (WebCC) license; a subscription-based, per-AP license that supports web content classification features on an AP for the duration of the subscription period (up to 10 years per license).
  • NTP Standalone: NTP standalone feature enables an Aruba controller to act as an NTP server so that the devices that do not have access to Internet can synchronize their clocks. Enabling this feature eliminates the need to provision and maintain another virtual machine on the network.
  • Geo-Location Filtering: Starting from ArubaOS 6.5.0.0, to support IP-classification-based firewall, an IP reputation database containing a list of IP addresses with malicious activities is introduced. This helps in rejecting the traffic sent to or received from those IP addresses classified as malicious based on the policy configured. Using the geolocation IP database, the geographical location of the malicious IP address is also determined, and traffic is permitted or denied after scanning the geography-based rules configured by the administrator.
  • Wi-Fi Calling: ArubaOS 6.5.0.0 supports Wi-Fi Calling in the controller. Wi-Fi calling service allows cellular users to make or receive calls using a Wi-Fi network instead of using the carrier’s cellular network.
  • Blocked Session: Starting from ArubaOS 6.5.0.0, a new tab called Blocked Sessions is added in the Traffic Analysis page. The Blocked Sessions tab displays WebCC and AppRF sessions which are blocked by access control list (ACL) through system logging or that blocked on the WebUI interface.

The release notes can be downloaded here.