Security

Hi,

 

Anyone got any ideas if Clearpass V.6.6.2 is supporting SMB V2 or SMB V3?

 

We tested disabling SMB V1 at the AD server and our Clearpass cannot join the AD server.

 

Thanks.

 

When using MSCHAP-based authentication methods, SMBv1 to domain controllers is required.

SMBv1 is only required when MSCHAP-based authentication protocols are being used (username/password with PEAPv0/EAP-MSCHAPv2 as an example) and is only used between ClearPass and the domain controller(s). SMBv1 is not required on client devices for network authentication and should be disabled per Microsoft's recommendation.

 

Most workflows and authentication methods used in ClearPass do not require domain join (and thus do not require SMB).

 

Some examples include:

• Modern certificate-based authentication via EAP-TLS
• Captive portal workflows
• Security Assertion Markup Language (SAML)
• OAuth2
• Cloud identity stores like Microsoft Azure Active Directory, Google G Suite, Ping and Okta Universal Directory

 

Any questions can be directed to aruba-sirt@hpe.com

 

 

Oh dear I hope they sort that soon. 

Update: SMBv2 and SMBv3 support is available via a hotfix for ClearPass 6.6.7

 

http://community.arubanetworks.com/t5/Security/ClearPass-Release-Announcements/m-p/303234#M32873

Cappalli,

We applied that patch on our CPPM cluster and right after it finished installing our users lost the ability to log in using mschap on our Active directory solution.The service is configured with EAP-TLS/EAP-PEAP.

We tried using 6 different domain controller with the same result.

Any clue what can be the issue ?

We are working with an Aruba support engineer but we can't find the solution yet.

The output we get now is :

[appadmin@ACO-CLP-HPE01]# ad auth -u xxxx -n yyyy
Password:
NT_STATUS_IO_TIMEOUT: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)
Any way to uninstall the rollover the patch ?

I attached a packet capture so maybe you can help me.

Kind regards

 

A quick glance at the packet capture seems to show that the DC is not responding to the SMB negotiation, but please work with TAC.

 

This is your test server, correct?

Cappalli,

This is our production CPPM Cluster.

We had to redirect all request from Aruba WLC to an internal radius solution so as to bypass ClearPass. Not a good thing..

The strange situation is the other radius solution works perfect and it using the same AD servers and same credentials. I am sure it has something to do with the patch.

So just to understand , before patch SMB version was only 1. Now it could be 3,21 ?

Kind regards

 

Correct, the SMB dialect will be negotitated starting with the highest. 

 

Did you see this issue in your test environment as well?

Nop, 

Unfortunately , We just installed it on production via the GUI. We never thought the impact would be so high considering it was only a patch.

Kind regards

---

@cappalli wrote:

Correct, the SMB dialect will be negotitated starting with the highest. 

 

Did you see this issue in your test environment as well?

---

 

 

 

 

Capalli,

Do you now if there any way to force the dialect back to V1 ?

Thank you for your patience.

We only negotiate on our side. You would have to disable SMBv2 and SMBv3 on the domain controller side.

Cappalli,

The protocol documents that a non-SMB3-capable (2.002 or 2.1) should respond to VALIDATE_NEGOTIATE_INFO request with a status error of STATUS_NOT_SUPPORTED or STATUS_INVALID_DEVICE_REQUEST, the same error as for any unsupported/non-allowed FSCTL. Windows Server 2008 (SMB 2.002) and Windows Server 2008 R2 (SMB 2.1) return STATUS_FILE_CLOSED, instead.

 

I am not and expert on AD but i understand the following.

CPPM proposes negotiation and then VALIDATE_NEGOTIATE_INFO.

After that i am getting exactly STATUS_FILE_CLOSED on my capture from AD side.

Based on that no negotiation would be possible on AD side.

Then what would be the next step if no negotiation is possible ?

Maybe that is why is failing ?

Thank you again

---

@cappalli wrote:

We only negotiate on our side. You would have to disable SMBv2 and SMBv3 on the domain controller side.

---

Based on the packet capture, it doesn't look like the DC is replying at all. 

Cappalli,

I do really believe it is responding

I attached you the picture.

AD --> 161.131.193.10

CPPM-->10.252.255.251

Best regards

 

---

@cappalli wrote:

Based on the packet capture, it doesn't look like the DC is replying at all. 

---

Cappalli,

I do really believe it is responding

I attached you the picture.

AD --> 161.131.193.10

CPPM-->10.252.255.251

Best regards

 

Please work with TAC. I don't have enough information about your environment.

This is spreading like plaugue we have 6 customers with system down. We have cases open with TAC..if you find any workarounds do let us know.

Could you share TAC ticket details.

 

Regards,

Pavan

---

@PAVAN wrote:

Could you share TAC ticket details.

 

Regards,

Pavan

---

Hi Pavan the TAC case is 5322012059. Thanks

After opening the required ports for SMBv2/v3, is everything working for you now?

Hi Tim,

Ok it seems like if the primary DNS server is down cppm doesn't failover to the secondary. Also had to remove firewall rules completely for things to work.

Can you guys please clarify what ports should be open between cppm and AD as like previously pointed out this seems to be root of the problem something has changed in terms of required traffic that needs allowing.

Here is the list of required ports for Active Directory from the Microsoft knowledgebase.

https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

For us adding the firewall rule as application based instead port based solved the issue. One of the app service posted on this image contains the high ports i mentioned on my previous posts which we didn't have on the old rule. If i am not wrong it is ms-netlogon.

Regards

 

We'll be updating the release notes and user guide with a link to Microsoft's documentation for their implementation.

@coremon

 

I ran into this issue this week as well. Customer had disabled LM / NTLM / SMBv1. Its not documented that NTLMv2 is supported with clearpass, and I have requested this be udpated as well. 

 

It looks like the SMBv2 / SMBv3 patch changed the implementation of Samba and now calls to AD require RPC_NETLOGON over 135/tcp. I would need to install a new instance of clearpass without the SMBv2 / SMBv3 patch to determine exactly where the RPC call happens. When comparing to my freeradius wireshark captures, the RPC calls appear to be happening over 445/tcp (SMB). 

 

I was recieving the same Timeout Message as you stated as well in access tracker, and spent a few hours doing a review in exported debug logs between working and non-working. Nothign seemed to be out of the ordanary. 

 

NT_STATUS_IO_TIMEOUT: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

 

Due to the strict firewall rules, we had 135/tcp open, although before updating to SMBv2 / SMBv3 patch there were never any issues of authetnicaiton, even running on 6.6.7. I do know that mschapv2 used an ntlm wrapper over samba, and this was the legacy way of performing authetnicaiton with NTLM (windows AD). 

 

To my understanding on reviewing Samba, since the ntlm_auth binary doesn't support NTLMv2, its required to make calls directly from Samba vs using the mschap ntlm wrapper. Due to trying to get a better understanding, I had attempted to recreate this in my lab with freeradius (what I typically use as a radius server). 

 

After I had disabled LM / NTLM / SMBv1 on my AD server, I had tested with my freeradius server, and NTLM auth was failing in the debugs. This was due to freeradius not supporting NTLMv2 nativly. I did find forums from 2012 from the Samba Implementation that if I wanted to install from source code, I could change a couple flags on a function and I should be able to get it to work. Im not going to to go that extent to test, although this proved to me that NTLM was no longer being accepted by AD. 

 

When I tested with the clearpass patch 6.6.7 and SMBv2 / SMBv3, I was successful with passing EAP-PEAP (mschapv2) info to AD. 

 

Im not sure exactly how this was implemented under the hood with Clearpass, although there is deffiently a change on how samba interacts with Active Directory after the patch is applied. 

 

In my caes when you would see 135/tcp for the RPC_NETLOGON call in wireshark, the AD server would reply wiht the high end RPC port and then when clearpass would attempt to send traffic, TCP retransmits were observed. 

 

In access tracker this is when you would see the NT_STATUS_IO_TIMEOUT error code. Depending if the customer has static RPC or dynamic, its always easiest to just add the high end range. You can never be sure if customer will change those ports. 

 

@coremon

 

I was able to validate with wireshark captures the process on how DCERPC took place both before and after the SMBv2 / SMBv3 patch. 

 

Before Patch

- DCERPC was used with ntlm wrapper inside mschap module by only connecting to 445/tcp. 

 

After Patch

- DCERPC was used with 135/tcp and 49152-65535/tcp. 445/tcp is no longer performing DCERPC for the user authenticaiton, and im not sure if the ntlm wrapper is needed anymore. 

- It seems as DCERPC is still used with 445/tcp when the domain services are restarted, although it doesn't appear its happening for user auth.

- It seems for both SMBv1 enabled / disabled, the same behavior is taken place and DCERPC no longer happens over 445/tcp for the user. 

 

 

My baseline is only based on 4-5 wireshark captures amongst 6.6.5 and 6.6.7 with the SMB patch. There could be some slight variances from what I listed above. 

 

I would love to still see the doucmentation by aruba that NTLMv2 is supported now, along with docuemntation on how the DCERPC ports changed. 

Just to share with you.

We had the same issue and I found after the patch the SMB version negotiated switched from V1 to V2(CCPM to DC). That is in our environment and may change for you. 

SMBv2 works different than V1 and the traffic toward DC started to be blocked after the patch because now it is requiered high ports (49152 to 65535 ) from CCPM to DC. This caused the authentication to fail. After enabling the high port group everthing came back to normality again.

My suggestion is to check if there exists any firewall between CCPM and AD and find for possible dropped traffic.

I hope that helps you.

Kind regards

 

Atleast in 1 of the reported cases CPPM and the DC are in the same VLAN ..so that cant be the issue. When you say high ports you mean high source ports ? As I am assuming it still uses the same destination ports ? 

 

I am waiting for my colleagure to update me on the TAC case numbers

It was from CPPM to AD. Destination ports. After the patch we saw a lot of new session trying to be established from ClearPass to DC with destination ports (49152 to 65535 ). All of them dropped. After modifying the rule all worked again.

Best Regards

 

Thanks..this is going to be fun ..tell me the firewall rules you need for CPPM "Yes please allow some random ports" :)

 

Can someone from engineering actually tell us what was done to samba to add support for the v2/v3 was it simply upgraded or specific changes where done on smb.conf, so atleast I can make sense of whats going on.