Connecting the world…

ClearPass and InTune Integration Guide

Lately, I have been “playing” with the integration between ClearPass and Microsoft InTune. I found this very good integration guide at the AirHeads Community. I downloaded the Integration Guide and started clicking. In the end, I wasn’t able to sync any attributes from InTune into the EndPoint database. I consulted Aruba TAC and they couldn’t find the problem either. The ClearPass side was configured correctly. The next step should be consulting Microsoft…….

Yesterday I had to change some settings on my own Azure Portal. I needed to configure another App Registration including some custom permissions. Since I never ever have done anything with Azure, I just follow all guides step-by-step. This guide added another (logical) step after changing the required permissions for the Registered App. I had to click “Grant Permissions” after changing the permissions.

So I did the same step for the ClearPass-InTune app registration and the ClearPass API started to fetch the InTune attributes. So if you follow the ClearPass InTune Integration Guide v3.0 you have to add this step after you reached page 19.





Download a copy of the integration guide: ClearPass TechNote Extensions – Microsoft Intune Integration v3.0

HPE switch and SSH filetransfer

Upgrading firmware on switches, routers and/or firewalls is a common task for network administrators. Normally I am used to downloading the new firmware from the console of the switch. I normally download the software from a (T)FTP server. While configuring a bunch of HPE 2930F switches for SSH access I noticed that I had the option to configure “ip ssh filetransfer”.

I was curious what I would be able to do with this command and I figured out that it is useful for uploading new firmware to the switch. With the command I am able to upload software from a session on my laptop to the switch. I tested this in my home network with a firmware upgrade of my own HPE 2930F switches.

At first I enabled the “ip ssh filetransfer” option. Ofcourse you need to configure the regular SSH access to the switch, but I guess everybody enables SSH and disables Telnet by default!!!

2930F-01(config)# ip ssh
filetransfer Enable/disable secure file transfer capability.

I downloaded the new software image to my laptop and copy the software via SCP to the switch as primary flash image.

MacBook:Downloads rjn$ scp WC_16_05_0003.swi admin@

The software is copied directly to the switch. You can check this on the switch:

2930F-01# show flash
Image Size (bytes) Date Version
—————– ———— ——– ————–
Primary Image : 28793113 12/08/17 WC.16.05.0003
Secondary Image : 20530856 10/26/16 WC.16.02.0014

You can also copy the file as secondary flash image and change the boot image via:

2930F-01(config)# boot system flash secondary

To activate the new software, just reload the switch. And don’t forget to get a backup of the configuration first.

Aruba Airwave 8.2.4 and no CLI / shell access

BE AWARE: reading and applying this blog is at your own risk. Following the below procedure could affect the support validity on your Aruba AirWave appliance.

All AirWave firmware versions prior to 8.2.4 gave you shell access to the CentOS operating system. Once you upgrade from 8.2.3 to 8.2.4 you receive the message that the root user won’t be used anymore and you need to log in with the user ampadmin.

Your system has been converted to use AMPCLI. You may now log in as ampadmin. If you lose the password for ampadmin you may log in as amprecovery (password recovery) on the console to reset the ampadmin password.

Remove any OS user accounts you may have created to complete the securing of the system.

Once you log out, the linux shell will no longer be accessible.

Starting from 8.2.4 you only have a basic options menu and no shell access anymore. To me, this is a burden because I cannot install VMware Tools anymore or configure scheduled backups to offsite storage. Luckily there is a way to restore the shell access, but the guidelines below need to be applied directly after the upgrade from 8.2.3 to 8.2.4 and cannot be done on a new 8.2.4 installation.

Some additional information: /etc/passwd file stores essential information, which is required during login i.e. user account information. /etc/passwd is a text file, which contains a list of the system’s accounts, giving for each account some useful information like user ID, group ID, home directory, shell, etc. /etc/passwd contains the following entry before you start the upgrade.


Just start the upgrade as you always do, but do not log off after the upgrade is completed. Take another look at the /etc/passwd file and especially the entry for the user root.


The entry changed and /sbin/nologin disables the shell access for the root user. Change the entry to the default value and you are good to go!!! You should still have access to the shell after logging off or rebooting the appliance.

ClearPass & Sophos Mobile Control

A lot of companies are using MDM to control and manage their (mobile) assets. By connecting the MDM solutions to HPE Aruba ClearPass an organization has the possibility for advanced context-aware access for a (mobile) device to the corporate network, wired and wireless. ClearPass supports multiple MDM solutions via built-in “External Context Servers”, like Airwatch and MobileIron.

The MDM solution from Sophos, Sophos Mobile Control, has no built-in integration with ClearPass. I needed to help a customer to link ClearPass with Sophos Mobile Control, because the customer would like to distinguish BYOD from corporate devices. All corporate devices are managed via Sophos Mobile Control. In this setup, Sophos Mobile Control uses an MSSQL database to store all relevant information. One of the tables in the MSSQL database stores the Wi-Fi MAC address from the asset. I use this table to distinguish the BOYD devices from the corporate devices. If the MAC address of the device is present in the database, the device is a corporate device.

I started by adding the MSSQL database as an authentication source to the ClearPass configuration. The customer created a dedicated SQL user with read-only access to the database. The MSSQL database is added in ClearPass under Configuration – Authentication – Sources. I added a source from the type “Generic SQL DB”.

The next step involves the creation of a proper SQL filter statement. I would like to have the Wi-Fi MAC address as output from the SQL filter. The following SQL filter is used for this (with special thanks to the customer, who had some more experience with SQL statements!!!!)

SELECT LOWER(deviceproperty.value) AS mac_address FROM deviceproperty INNER JOIN device ON deviceproperty.deviceid = device.deviceid WHERE deviceproperty.propertykey = ‘Wi-Fi MAC address’ AND device.managed = ‘managed’ AND deviceproperty.value = ‘%{Connection:Client-Mac-Address-NoDelim}’;

I would like to use the MAC address as a string in the authentication/authorization process. In the end I will check if the MAC address in the RADIUS requests matches a MAC address in the Sophos MDM database. The SQL filter is added in the Filter option within the Authentication Source, like in the image below. Just go to the Attributes tab and choose the option Add More Filters.

The Authentication Source is added to the appropriate Service as Authorization Source. I always add the Source first, before I start to configure some Roles and Role Mappings, because I would like to see which output I receive from the MSSQL database. There are two possible outcomes:

  1. The MAC address exists in the MSSQL database
  2. The MAC address doesn’t exist in the MSSQL database

If the MAC address exists in the MSSQL database, you will see the value of the MAC address in the Access Tracker.

As you can see the MAC address is listed without any delimiter. If the MAC address doesn’t exist in the database, the MAC address won’t be listed in the Access Tracker and you will see the following Alert Message.

Now that we know, which information we receive in the Access Tracker during an authentication request, we can configure the correct Roles and Role Mappings. In this example I assign the Role [VDI Trusted] to the device, when the MAC address from the device equals the MAC address in the MSSQL database.

The last step is easy. Just configure the appropriate Enforcement Policy and Profile you match the Role and set the correct attributes on the Wi-Fi or wired network.

Cisco Catalyst 2960X keeps crashing

Yesterday evening I had to troubleshoot a Cisco Catalyst 2960X switch stack, which didn’t return to normal after a reboot. The following error message was visible on the console:

Error: ASIC/PHY POST failed. Cannot continue.

%Software-forced reload

This error message is listed as a bug (CSCut90593) at Cisco describes a very “good” workaround: the switch can boot up normally after this crash. I tried to reboot the switch several times, but it didn’t boot normally. The stack is running Cisco IOS version 15.2(2)E6 and the bug should be fixed in 15.2(2)E3.

It took me till midnight to recover the stack, so I am done troubleshooting and I will start the RMA procedure. I have to say that I am not really happy with the Cisco Catalyst 2960X. I have several customers running this type of switch and I had a lot more “troubles” with this switch, then I have/had with other Cisco switches. I hope stability will improve!!!!