Connecting the world…


ClearPass & Sophos Mobile Control

A lot of companies are using MDM to control and manage their (mobile) assets. By connecting the MDM solutions to HPE Aruba ClearPass an organization has the possibility for advanced context-aware access for a (mobile) device to the corporate network, wired and wireless. ClearPass supports multiple MDM solutions via built-in “External Context Servers”, like Airwatch and MobileIron.

The MDM solution from Sophos, Sophos Mobile Control, has no built-in integration with ClearPass. I needed to help a customer to link ClearPass with Sophos Mobile Control, because the customer would like to distinguish BYOD from corporate devices. All corporate devices are managed via Sophos Mobile Control. In this setup, Sophos Mobile Control uses an MSSQL database to store all relevant information. One of the tables in the MSSQL database stores the Wi-Fi MAC address from the asset. I use this table to distinguish the BOYD devices from the corporate devices. If the MAC address of the device is present in the database, the device is a corporate device.

I started by adding the MSSQL database as an authentication source to the ClearPass configuration. The customer created a dedicated SQL user with read-only access to the database. The MSSQL database is added in ClearPass under Configuration – Authentication – Sources. I added a source from the type “Generic SQL DB”.

The next step involves the creation of a proper SQL filter statement. I would like to have the Wi-Fi MAC address as output from the SQL filter. The following SQL filter is used for this (with special thanks to the customer, who had some more experience with SQL statements!!!!)

SELECT LOWER(deviceproperty.value) AS mac_address FROM deviceproperty INNER JOIN device ON deviceproperty.deviceid = device.deviceid WHERE deviceproperty.propertykey = ‘Wi-Fi MAC address’ AND device.managed = ‘managed’ AND deviceproperty.value = ‘%{Connection:Client-Mac-Address-NoDelim}’;

I would like to use the MAC address as a string in the authentication/authorization process. In the end I will check if the MAC address in the RADIUS requests matches a MAC address in the Sophos MDM database. The SQL filter is added in the Filter option within the Authentication Source, like in the image below. Just go to the Attributes tab and choose the option Add More Filters.

The Authentication Source is added to the appropriate Service as Authorization Source. I always add the Source first, before I start to configure some Roles and Role Mappings, because I would like to see which output I receive from the MSSQL database. There are two possible outcomes:

  1. The MAC address exists in the MSSQL database
  2. The MAC address doesn’t exist in the MSSQL database

If the MAC address exists in the MSSQL database, you will see the value of the MAC address in the Access Tracker.

As you can see the MAC address is listed without any delimiter. If the MAC address doesn’t exist in the database, the MAC address won’t be listed in the Access Tracker and you will see the following Alert Message.

Now that we know, which information we receive in the Access Tracker during an authentication request, we can configure the correct Roles and Role Mappings. In this example I assign the Role [VDI Trusted] to the device, when the MAC address from the device equals the MAC address in the MSSQL database.

The last step is easy. Just configure the appropriate Enforcement Policy and Profile you match the Role and set the correct attributes on the Wi-Fi or wired network.

Netstat on IOS router

I often use the netstat command on a Windows machine to check on which IP and/or ports the servers or workstation is listening or established connection.

By accident I found the same kind of command for a Cisco IOS router, while I was looking through the CLI. Check out the output below:

Router#sh control-plane host open-ports
Active internet connections (servers and established)
Prot        Local Address      Foreign Address                  Service    State
tcp                 *:22                  *:0               SSH-Server   LISTEN
tcp                 *:23                  *:0                   Telnet   LISTEN
tcp                 *:23                   Telnet ESTABLIS
udp                 *:67                  *:0            DHCPD Receive   LISTEN
udp              *:50015                  *:0                  IP SNMP   LISTEN
udp                *:161                  *:0                  IP SNMP   LISTEN
udp                *:162                  *:0                  IP SNMP   LISTEN

IEEE 802.3x FlowControl between Cat3750E and Cat2960

I have a network with two Catalyst 3750E switch stacks, which are connected with a 2 x 10Gbps Etherchannel. Every stack facilitates a ring topology of approximately 10 to 15 Catalyst 2960 switches. Two of the 2960 are connected with 1Gbps links to a switch stack to create the ring topology. So lets say that 7 24-ports Catalyst 2960 switch share a 1 Gbps link to the switch stack. With this customer, this won’t be any problem, because there are no heavy users and/or applications.

But let’s imagine that a link between a Catalyst 3750E and Catalyst 2960 switch or between two Catalyst 2960 switches is giving problems and the Catalyst 2960 cannot handle the receiving traffic. You need to find some way to slow done the traffic. I normally start thinking about the usage of IEEE 802.3x FlowControl.

Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. If one port experiences congestion and cannot receive any more traffic, it notifies the other port by sending a pause frame to stop sending until the condition clears. Upon receipt of a pause frame, the sending device stops sending any data packets, which prevents any loss of data packets during the congestion period.

But after reading some documentation, FlowControl isn’t an option. When a link between both switches gets congested the Catalyst 2960 would have to send a pause frame to the Catalyst 3750E and that’s the problem.

Both, Catalyst 3750E and Catalyst 2960, can only receive, but not send, pause frames. So configuring FlowControl between Catalyst 3750E and Catalyst 2960 is useless, because no switch can inform the counterpart about the congested link.