Security

Reply
Occasional Contributor I

Re: Clearpass V6.6.2 SMB version supported

Atleast in 1 of the reported cases CPPM and the DC are in the same VLAN ..so that cant be the issue. When you say high ports you mean high source ports ? As I am assuming it still uses the same destination ports ? 

 

I am waiting for my colleagure to update me on the TAC case numbers

Occasional Contributor II

Re: Clearpass V6.6.2 SMB version supported

It was from CPPM to AD. Destination ports. After the patch we saw a lot of new session trying to be established from ClearPass to DC with destination ports (49152 to 65535 ). All of them dropped. After modifying the rule all worked again.

Best Regards

 

Occasional Contributor I

Re: Clearpass V6.6.2 SMB version supported

Thanks..this is going to be fun ..tell me the firewall rules you need for CPPM "Yes please allow some random ports" :)

 

Can someone from engineering actually tell us what was done to samba to add support for the v2/v3 was it simply upgraded or specific changes where done on smb.conf, so atleast I can make sense of whats going on.

 

 

Occasional Contributor I

Re: Clearpass V6.6.2 SMB version supported


PAVAN wrote:

Could you share TAC ticket details.

 

Regards,

Pavan


Hi Pavan the TAC case is 5322012059. Thanks

Guru Elite

Re: Clearpass V6.6.2 SMB version supported

After opening the required ports for SMBv2/v3, is everything working for you now?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Clearpass V6.6.2 SMB version supported

Hi Tim,

Ok it seems like if the primary DNS server is down cppm doesn't failover to the secondary. Also had to remove firewall rules completely for things to work.

Can you guys please clarify what ports should be open between cppm and AD as like previously pointed out this seems to be root of the problem something has changed in terms of required traffic that needs allowing.
Guru Elite

Re: Clearpass V6.6.2 SMB version supported

Here is the list of required ports for Active Directory from the Microsoft knowledgebase.

https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clearpass V6.6.2 SMB version supported

For us adding the firewall rule as application based instead port based solved the issue. One of the app service posted on this image contains the high ports i mentioned on my previous posts which we didn't have on the old rule. If i am not wrong it is ms-netlogon.

Regards

 

Guru Elite

Re: Clearpass V6.6.2 SMB version supported

We'll be updating the release notes and user guide with a link to Microsoft's documentation for their implementation.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Clearpass V6.6.2 SMB version supported

@coremon

 

I ran into this issue this week as well. Customer had disabled LM / NTLM / SMBv1. Its not documented that NTLMv2 is supported with clearpass, and I have requested this be udpated as well. 

 

It looks like the SMBv2 / SMBv3 patch changed the implementation of Samba and now calls to AD require RPC_NETLOGON over 135/tcp. I would need to install a new instance of clearpass without the SMBv2 / SMBv3 patch to determine exactly where the RPC call happens. When comparing to my freeradius wireshark captures, the RPC calls appear to be happening over 445/tcp (SMB). 

 

I was recieving the same Timeout Message as you stated as well in access tracker, and spent a few hours doing a review in exported debug logs between working and non-working. Nothign seemed to be out of the ordanary. 

 

NT_STATUS_IO_TIMEOUT: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

 

Due to the strict firewall rules, we had 135/tcp open, although before updating to SMBv2 / SMBv3 patch there were never any issues of authetnicaiton, even running on 6.6.7. I do know that mschapv2 used an ntlm wrapper over samba, and this was the legacy way of performing authetnicaiton with NTLM (windows AD). 

 

To my understanding on reviewing Samba, since the ntlm_auth binary doesn't support NTLMv2, its required to make calls directly from Samba vs using the mschap ntlm wrapper. Due to trying to get a better understanding, I had attempted to recreate this in my lab with freeradius (what I typically use as a radius server). 

 

After I had disabled LM / NTLM / SMBv1 on my AD server, I had tested with my freeradius server, and NTLM auth was failing in the debugs. This was due to freeradius not supporting NTLMv2 nativly. I did find forums from 2012 from the Samba Implementation that if I wanted to install from source code, I could change a couple flags on a function and I should be able to get it to work. Im not going to to go that extent to test, although this proved to me that NTLM was no longer being accepted by AD. 

 

When I tested with the clearpass patch 6.6.7 and SMBv2 / SMBv3, I was successful with passing EAP-PEAP (mschapv2) info to AD. 

 

Im not sure exactly how this was implemented under the hood with Clearpass, although there is deffiently a change on how samba interacts with Active Directory after the patch is applied. 

 

In my caes when you would see 135/tcp for the RPC_NETLOGON call in wireshark, the AD server would reply wiht the high end RPC port and then when clearpass would attempt to send traffic, TCP retransmits were observed. 

 

In access tracker this is when you would see the NT_STATUS_IO_TIMEOUT error code. Depending if the customer has static RPC or dynamic, its always easiest to just add the high end range. You can never be sure if customer will change those ports. 

 

Justin Kwasnik | ACMX# 598 | ACCX# 638
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: