AAA, NAC, Guest Access & BYOD

How to disable SSH access to the ClearPass server?
Requirement:

How to disable SSH access to the ClearPass server in case of security complaince?



Solution:

From the ClearPass server version 6.6.3, two new commands are included for the customers to Allow or Deny ports with specific to inward or outward on ClearPass server.

#show ports (To list all the ports and their status)

#configure port (To configure the port access)

 

With help of these commands we can disable the SSH connection to the server through appadmin login.

Syntax: configure port <direction> <protocol> <port> <action>
Where,
    direction -- Specify the access control rule direction. Allowed values are - input, output.
    protocol  -- Specify the access protocol. Allowed values are tcp, udp.
    port      -- Specify the port number within the range 1-65535.
    action    -- Rule to signify accept or reject action. Allowed values are accept, reject.

 



Configuration:

From the CLI through appadmin login,

Run the following command to see that status of the port 22.

#show ports

Note: By default, ssh connection would be enabled in all ClearPass server versions.

 

# show ports

==============================================================================
Port  | Protocol | State       | Process         | Input Rule  | Output Rule |
==============================================================================
22    | tcp      | LISTEN      | sshd            | ACCEPT      | Not Defined |
25    | tcp      | LISTEN      | master          | Not Defined | Not Defined |
80    | tcp      | LISTEN      | httpd           | ACCEPT      | Not Defined |
443   | tcp      | LISTEN      | httpd           | ACCEPT      | Not Defined |
1241  | tcp      | LISTEN      | nessusd         | Not Defined | Not Defined |
2812  | tcp      | LISTEN      | monit           | Not Defined | Not Defined |
4441  | tcp      | LISTEN      | policy_server   | Not Defined | Not Defined |
5432  | tcp      | LISTEN      | postmaster      | ACCEPT      | Not Defined |
6432  | tcp      | LISTEN      | pgbouncer       | Not Defined | Not Defined |
8015  | tcp      | LISTEN      | java            | Not Defined | Not Defined |
8019  | tcp      | LISTEN      | java            | Not Defined | Not Defined |
8081  | tcp      | LISTEN      | httpd           | Not Defined | Not Defined |
8090  | tcp      | LISTEN      | java            | Not Defined | Not Defined |
8100  | tcp      | LISTEN      | lighttpd        | Not Defined | Not Defined |
12345 | tcp      | LISTEN      | php             | Not Defined | Not Defined |
33341 | tcp      | ESTABLISHED | java            | Not Defined | Not Defined |
...

Run the following command to reject the ssh connections through the TCP port 22:

#configure port input tcp 22 reject

Stopping cpass-firewall. Revert to basic iptables config:  [  OK  ]
Stopping docker:                                           [  OK  ]
Starting cpass-firewall:                                   [  OK  ]
Starting docker:                                           [  OK  ]
 

Executing the above command would block the SSH connection requests to the ClearPass server.

 



Verification

By default, SSH connection would be enabled.

[appadmin@Janakiram]# show ports

==============================================================================
Port  | Protocol | State       | Process         | Input Rule  | Output Rule |
==============================================================================
22    | tcp      | LISTEN      | sshd            | ACCEPT      | Not Defined |
25    | tcp      | LISTEN      | master          | Not Defined | Not Defined |
80    | tcp      | LISTEN      | httpd           | ACCEPT      | Not Defined |

 

Running the below command to reject the SSH connection requests to the server.

[appadmin@Janakiram]#configure port input tcp 22 reject

Stopping cpass-firewall. Revert to basic iptables config:  [  OK  ]
Stopping docker:                                           [  OK  ]
Starting cpass-firewall:                                   [  OK  ]
Starting docker:                                           [  OK  ]

 

To confirm, running the #show ports command:

[appadmin@Janakiram]# show ports

==============================================================================
Port  | Protocol | State       | Process         | Input Rule  | Output Rule |
==============================================================================
22    | tcp      | LISTEN      | sshd            | DROP        | ACCEPT      |
25    | tcp      | LISTEN      | master          | Not Defined | Not Defined |
80    | tcp      | LISTEN      | httpd           | ACCEPT      | Not Defined |
199   | tcp      | LISTEN      | snmpd           | Not Defined | Not Defined |
 

Version history
Revision #:
2 of 2
Last update:
‎03-07-2017 09:09 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.