Booches.nl

Connecting the world…

FortiGate – backup via auto-script

One of the features I would like to see in a FortiGate is the ability to automatically create backups and copy them to offline storage. Of course, this can be accomplished by adding FortiManager to the solution, but why would I need FortiManager if I only have one FortiGate (cluster). Another option would be using scripts, like Python or PowerShell, with scheduled tasks on servers to pull a backup from the FortiGate firewalls.

A very basic option would be the usage of system auto-script in FortiOS 5.4 and higher. Use this command to create CLI command scripts that can be saved and run. This gives you the possibility to auto-script the execute backup full-config commando. A disadvantage of this command is that you only have the option to use (T)FTP. There is no option to use a secure protocol like SFTP.

An example of an auto-script:


The example executes the backup command and sends the backup via TFTP to the TFTP server. The script runs every 24 hours (86400 seconds). It repeats infinite and starts automatically.

The script can also be configured via the GUI (Global >> System >> Advanced >> Configuration Scripts). More information about the feature can be found here.

MobileIron – replace SSL certificate

Something completely different: changing the SSL certificate on MobileIron Core and Sentry. In total, I had to replace 5 certificates. 4 certificates are replaced via the Core web interface and 1 certificate needs to be replaced via the Sentry web interface.

Core

Within the Core web interface you have to change the certificated in two separate interfaces.

1. Login to the Core web interface and choose Services >> Sentry

2. Choose the icon (person’s head) in the upper right corner >> System Manager. Log in to the System Manager website and choose Security >> Certificate Mgmt

Sentry

Log in to the Sentry web interface and choose Security >> Certificate Mgmt

The process of replacing the certificate is the same for all 5 certificates. You only need to be careful to upload the correct certificates. In my situation, users are connecting to two different FQDNs. One FQDN is pointing to the Core and is used to sign in to MobileIron and register a device. The second FQDN points to Sentry and is used for client connections from the mobile device, like Outlook Sync or Web@Work. I upload the certificate with the Sentry FQDN to the Sentry option on the Core web interface and within the Sentry web interface and I upload the Core certificate within the Core System Manager web interface.

I am using a certificate based on a full FQDN, so no wildcard certificate. The certificate’s certificate path contains two intermediate certificates and one root certificate. In total I have 5 different files:

  1. a signed certificate from the CA
  2. the private key
  3. the first intermediate certificate
  4. the second intermediate certificate
  5. the root certificate

I upload all certificates separately when choosing Manage Certificate like shown in the image.

Hit Upload Certificate when you choose all the necessary files. MobileIron starts uploading the certificates, is “smart” enough to combine all certificates, replaces the certificate for the specific service and restarts the service. This could result in a short interruption of production. After this, the SSL certificate is successfully replaced.

Problems provisioning AP324?

I had to provision some AP324 APs on a standalone Aruba Mobility Controller. The controller runs AOS 8.2.0.2 code and functions as standalone controller. So what could be a problem when provisioning an AP324 via the GUI??? Well during the provisioning I couldn’t choose the desired custom AP group. I can only choose from both default AP groups: default and NoAuthApGroup.

Hhhhmmm, what could be the problem? I created a new AP group with default settings and even changed the settings from my custom AP group to match the settings from the default AP group, but still no option. So I guess this is some kind of bug in the 8.2.0.2 code……..

Eventually I configured the AP via the CLI to get it provisioned in the correct AP group with the correct parameters and that is working fine. Remember: the AP324 is an AP with external antennas so you need to configure the antenna gain during the provisioning. The exact value of the antenna gain can be found in the data sheet. I used the CLI configuration below to provision the AP.

# clear previous provisioning ap list
clear provisioning-ap-list

# enter config mode and configure parameters
config t
provision-ap read-bootinfo ap-name a8:bd:27:cc:50:8e
provision-ap installation indoor
provision-ap a-ant-gain 5.8
provision-ap g-ant-gain 3.8
provision-ap external-antenna
provision-ap ap-group my-ap-group
provision-ap no syslocation
provision-ap no remote-ap

# view the configured parameters
show provisioning-params

# provision the AP
provision-ap reprovision ap-name a8:bd:27:cc:50:8e

# clear provision list and parameters
clear provisioning-ap-list
clear provisioning-params

The AP is configured with the correct parameters, which can also be verified from the GUI….

Factory reset Mobility Controller managed by Mobility Master

With the introduction of ArubaOS 8, HPE Aruba Networks introduced the Mobility Master appliance. A Mobility Master appliance takes care of all the control-plane features within your deployment. A Mobility Master provides better user experience, flexible deployment, simplified operations and enhanced performance. Mobility Controllers are added to the Mobility Master as regular controllers and all configuration for the Mobility Controllers is done on the Mobility Master console to provide centralized management.

The question arises: is it as easy as it was to factory reset a Mobility Controller managed by a Mobility Master?

The answer: yes it is, but you need to take one extra step!!

I took a Mobility Controller from the shelve and wanted it to be configured as a standalone controller with ArubaOS 8. The controller was running 6.5 code, but the backup partition already contained an 8.0 code image and was previously managed by a Mobility Master during a workshop. I upgraded the 8.0 code image to the latest 8.2 code image and booted the controller from that partition.

I tried to log in with the credentials from the 6.5 code, but that wasn’t working anymore and I had no clue with credentials were used during the 8.0 workshop. So I started with the default password recovery which is very simple and straightforward. Connect to the console with username “password” and password “forgetme!“. Normally you would configure a new management user and “write erase” the configuration, but this is by default not possible in this scenario. Once you enter “config terminal” you receive the following message.

(controller) *#configure t
This controller is managed by a Mobility Master.
Configuration changes can only be performed on the Mobility Master.

Okay, so maybe I can do a “write erase” directly….

(controller) *#write erase
All the configuration will be deleted and the controller will be reloaded. Press ‘y’ to proceed : [y/n]: y
You do not have permission to execute this command

No, so what’s next? The clue is the command “local-config enable

(controller) *#local-config enable
Warning: ‘local-configure enable’ should only be used for debugging. This will disableAuto-Rollback feature. Please use the command ‘local-configure disable’ after you are done.
Configuration Mode Is Enabled.

Now you have the option to enter “config terminal” and add a new management user, log in with the new user and “write erase” the configuration. Next I rebooted the controller and started with a fresh, factory default controller with ArubaOS 8 software.

(controller) *#configure t
Enter Configuration commands, one per line. End with CNTL/Z

(controller) *(config) #mgmt-user admin root
Password:************
Re-Type Password:************
(controller) ^*(config) #end
(controller) ^*#write mem

Saving Configuration…

Partial configuration for /mm/mynode
————————————
Contents of : /flash/ccm/partial/0/p=sc=mynode.cfg
mgmt-user admin root d442d5b0011f409d930efc3f1a4409d5abb80c1a47e5247626
Configuration Saved.
(controller) *#exit

User: admin
Password:
(controller) *#write erase
All the configuration will be deleted and the controller will be reloaded. Press ‘y’ to proceed : [y/n]: y
Write Erase successful

System will now restart!

ClearPass and InTune Integration Guide

Lately, I have been “playing” with the integration between ClearPass and Microsoft InTune. I found this very good integration guide at the AirHeads Community. I downloaded the Integration Guide and started clicking. In the end, I wasn’t able to sync any attributes from InTune into the EndPoint database. I consulted Aruba TAC and they couldn’t find the problem either. The ClearPass side was configured correctly. The next step should be consulting Microsoft…….

Yesterday I had to change some settings on my own Azure Portal. I needed to configure another App Registration including some custom permissions. Since I never ever have done anything with Azure, I just follow all guides step-by-step. This guide added another (logical) step after changing the required permissions for the Registered App. I had to click “Grant Permissions” after changing the permissions.

So I did the same step for the ClearPass-InTune app registration and the ClearPass API started to fetch the InTune attributes. So if you follow the ClearPass InTune Integration Guide v3.0 you have to add this step after you reached page 19.

 

 

 

 

Download a copy of the integration guide: ClearPass TechNote Extensions – Microsoft Intune Integration v3.0

1 2 3 52