Security

Reply
Occasional Contributor II

Clearpass V6.6.2 SMB version supported

Hi,

 

Anyone got any ideas if Clearpass V.6.6.2 is supporting SMB V2 or SMB V3?

 

We tested disabling SMB V1 at the AD server and our Clearpass cannot join the AD server.

 

Thanks.

 

Aruba

Re: Clearpass V6.6.2 SMB version supported

When using MSCHAP-based authentication methods, SMBv1 to domain controllers is required.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba Employee

Re: Clearpass V6.6.2 SMB version supported

SMBv1 is only required when MSCHAP-based authentication protocols are being used (username/password with PEAPv0/EAP-MSCHAPv2 as an example) and is only used between ClearPass and the domain controller(s). SMBv1 is not required on client devices for network authentication and should be disabled per Microsoft's recommendation.

 

Most workflows and authentication methods used in ClearPass do not require domain join (and thus do not require SMB).

 

Some examples include:

  • Modern certificate-based authentication via EAP-TLS
  • Captive portal workflows
  • Security Assertion Markup Language (SAML)
  • OAuth2
  • Cloud identity stores like Microsoft Azure Active Directory, Google G Suite, Ping and Okta Universal Directory

 

Any questions can be directed to aruba-sirt@hpe.com

 

 

ajc
New Contributor

Re: Clearpass V6.6.2 SMB version supported

Oh dear I hope they sort that soon. 

Guru Elite

Re: Clearpass V6.6.2 SMB version supported

Update: SMBv2 and SMBv3 support is available via a hotfix for ClearPass 6.6.7

 

http://community.arubanetworks.com/t5/Security/ClearPass-Release-Announcements/m-p/303234#M32873


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clearpass V6.6.2 SMB version supported

Cappalli,

We applied that patch on our CPPM cluster and right after it finished installing our users lost the ability to log in using mschap on our Active directory solution.The service is configured with EAP-TLS/EAP-PEAP.

We tried using 6 different domain controller with the same result.

Any clue what can be the issue ?

We are working with an Aruba support engineer but we can't find the solution yet.

The output we get now is :

[appadmin@ACO-CLP-HPE01]# ad auth -u xxxx -n yyyy
Password:
NT_STATUS_IO_TIMEOUT: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)
Any way to uninstall the rollover the patch ?

I attached a packet capture so maybe you can help me.

Kind regards

 

Guru Elite

Re: Clearpass V6.6.2 SMB version supported

A quick glance at the packet capture seems to show that the DC is not responding to the SMB negotiation, but please work with TAC.

 

This is your test server, correct?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clearpass V6.6.2 SMB version supported

Cappalli,

This is our production CPPM Cluster.

We had to redirect all request from Aruba WLC to an internal radius solution so as to bypass ClearPass. Not a good thing..

The strange situation is the other radius solution works perfect and it using the same AD servers and same credentials. I am sure it has something to do with the patch.

So just to understand , before patch SMB version was only 1. Now it could be 3,21 ?

Kind regards

 

Guru Elite

Re: Clearpass V6.6.2 SMB version supported

Correct, the SMB dialect will be negotitated starting with the highest. 

 

Did you see this issue in your test environment as well?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clearpass V6.6.2 SMB version supported

Nop, 

Unfortunately , We just installed it on production via the GUI. We never thought the impact would be so high considering it was only a patch.

Kind regards


cappalli wrote:

Correct, the SMB dialect will be negotitated starting with the highest. 

 

Did you see this issue in your test environment as well?


 

 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: