Security

Reply
Occasional Contributor II

Re: Clearpass V6.6.2 SMB version supported

Capalli,

Do you now if there any way to force the dialect back to V1 ?

Thank you for your patience.

Guru Elite

Re: Clearpass V6.6.2 SMB version supported

We only negotiate on our side. You would have to disable SMBv2 and SMBv3 on the domain controller side.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clearpass V6.6.2 SMB version supported

Cappalli,

The protocol documents that a non-SMB3-capable (2.002 or 2.1) should respond to VALIDATE_NEGOTIATE_INFO request with a status error of STATUS_NOT_SUPPORTED or STATUS_INVALID_DEVICE_REQUEST, the same error as for any unsupported/non-allowed FSCTL. Windows Server 2008 (SMB 2.002) and Windows Server 2008 R2 (SMB 2.1) return STATUS_FILE_CLOSED, instead.

 

I am not and expert on AD but i understand the following.

CPPM proposes negotiation and then VALIDATE_NEGOTIATE_INFO.

After that i am getting exactly STATUS_FILE_CLOSED on my capture from AD side.

Based on that no negotiation would be possible on AD side.

Then what would be the next step if no negotiation is possible ?

Maybe that is why is failing ?

Thank you again


cappalli wrote:

We only negotiate on our side. You would have to disable SMBv2 and SMBv3 on the domain controller side.



Guru Elite

Re: Clearpass V6.6.2 SMB version supported

Based on the packet capture, it doesn't look like the DC is replying at all. 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clearpass V6.6.2 SMB version supported

Cappalli,

I do really believe it is responding

I attached you the picture.

AD --> 161.131.193.10

CPPM-->10.252.255.251

Best regards

 

Occasional Contributor II

Re: Clearpass V6.6.2 SMB version supported


cappalli wrote:

Based on the packet capture, it doesn't look like the DC is replying at all. 



Cappalli,

I do really believe it is responding

I attached you the picture.

AD --> 161.131.193.10

CPPM-->10.252.255.251

Best regards

 

Guru Elite

Re: Clearpass V6.6.2 SMB version supported

Please work with TAC. I don't have enough information about your environment.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Clearpass V6.6.2 SMB version supported

This is spreading like plaugue we have 6 customers with system down. We have cases open with TAC..if you find any workarounds do let us know.

Aruba Employee

Re: Clearpass V6.6.2 SMB version supported

Could you share TAC ticket details.

 

Regards,

Pavan

Occasional Contributor II

Re: Clearpass V6.6.2 SMB version supported

Just to share with you.

We had the same issue and I found after the patch the SMB version negotiated switched from V1 to V2(CCPM to DC). That is in our environment and may change for you. 

SMBv2 works different than V1 and the traffic toward DC started to be blocked after the patch because now it is requiered high ports (49152 to 65535 ) from CCPM to DC. This caused the authentication to fail. After enabling the high port group everthing came back to normality again.

My suggestion is to check if there exists any firewall between CCPM and AD and find for possible dropped traffic.

I hope that helps you.

Kind regards

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: