Education – Australia / New Zealand

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Aruba Employee

Sending Emails from ClearPass with Gmail

Overview
This article explains how to configure ClearPass to send emails using Google Mail - Gmail. There are several older acticles in Airheads and beyond that explain the general process (see References at the end). Several years ago, using Gmail (with the modified port and access credentials) was just as easy as using a local SMTP relay still is. However, increasing security requirements from Google has made this more complex than it was in the past, including finding and loading multiple certificates.

Configure SMTP Server
This has not changed from previous years: Administration » External Servers » Messaging Setup

 

CPPM+Gmail SMTP server.png

 

Gmail supports two options:

  • SSL on port 465
  • StartTLS on port 587

When you enable either SSL or StartTLS, one of the following messages will be displayed:

  • SMTP Server certificate must be imported to Trust List as SSL setting is enabled
  • SMTP Server certificate must be imported to Trust List as StartTLS setting is enabled

Both of these options work with this method. Note that the Google Account option "Allow less secure apps" needs to be ON. [An alternative option using an application password has also been tested with ClearPass, but I have not replicated that yet; it would allow the less secure apps to be turned OFF.]

Obtain Google Certificates
This should be easy, and for all but one of them, it is.

Google certificates are available from https://pki.goog/ CPPM+Gmail Google Trust Services.png

 

Multiple CA certs are listed here. These are the three that worked in my environments.CPPM+Gmail Google CA certs.png

 

 

The missing fourth cert required is the Gmail SMTP Server certificate. I used the following process to extract the Gmail SMTP cert:

  1. Load openssl on your workstation.
    For Windows, see https://wiki.openssl.org/index.php/Binaries. There are several links from here; I used the pre-compiled executable "OpenSSL Binaries 1.0.2 Win32" from https://www.magsys.co.uk/delphi/magics.asp.
  2. Run this command:
    openssl s_client -servername smtp.gmail.com -connect smtp.gmail.com:465 | openssl x509 -text
    (Commands from https://mind-business.com/en/get-ssl-certificate-smtp-server-add-java-truststore/ )
  3. Verify the downloaded certificate is OK. You may have to disable antivirus software; my antivirus software intercepted the lookup and added its own self-signed cert into the chain (which doesn't work).
    CPPM+Gmail openssl cert download error.png

     

  4. Check the expiration date; they appear to be valid for 90 days only. That means this SMTP cert will need to be replaced on a regular basis. When checked on 23-May-18, it had these dates
    Not Before: May  8 14:40:26 2018 GMT
    Not After : Jul 31 13:27:00 2018 GMT
  5. Create a certificate file from the output, including the BEGIN and END lines into an appropriate file, eg "smtp.gmail.com-EXP20180731.crt".
    CPPM+Gmail SMTP cert.png

Certificate Trust List
The four certificates must be added to the ClearPass Certificate Trust List and enabled (via Administration » Certificates » Trust List).

CPPM+Gmail add cert.png

 

CPPM+Gmail cert trust list.png


Click the certificate to see the details including dates.CPPM+Gmail SMTP cert details.png

 

You can have multiple SMTP certificates at once; you can disable or delete the old one after it is replaced.CPPM+Gmail cert trust list with 5.png
Testing
For basic email testing, go back to Administration » External Servers » Messaging Setup and send a test email.

CPPM+Gmail send test email.png

 

 

You can also check email results in Monitoring » Event ViewerCPPM+Gmail email event details.png
The man reason for doing this in the first place, was to generate automatic email receipts for visitors who register at an event. This is an example of the email sent by ClearPass after a visitor registered.

CPPM+Gmail example CPPM email.png

Troubleshooting
General Connectivity
This error indicates something is wrong with external connectivity, eg routing, DNS.CPPM+Gmail email event error.png

 

 

 

 

 

 

 

 

 

 

 

 

Test connectivity from the ClearPass CLI, logged in as appadmin
network ping smtp.gmail.com

 

Google Account Blocked Access
Google had flagged a login attempt as suspicious and blocked access, including SMTP.CPPM+Gmail sign in attempt blocked.png

 

 

The Event Viewer had this error message:
 CPPM+Gmail email event error 534.png
Use the Google account management tools to unblock the account, and test again.

Firewall rules and settings
One or more generic firewall/UTM rules was causing problems with Google accounts, including this one used by ClearPass.

CPPM+Gmail firewall errors.png

References
https://www.linkedin.com/pulse/how-use-gmail-smtp-server-aruba-clearpass-prashant-harnal/ - How to use Gmail as SMTP server on Aruba ClearPass (2016)
https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-use-Gmail-as-SMTP-server-on-CPPM/ta-p/185226 - How to use Gmail as SMTP server on CPPM (2014)



Richard Litchfield, HPE Aruba
Network Solution Architect
Network Ambassador
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: