OverviewThis article explains how to configure ClearPass to send emails using Google Mail - Gmail. There are several older acticles in Airheads and beyond that explain the general process (see References at the end). Several years ago, using Gmail (with the modified port and access credentials) was just as easy as using a local SMTP relay still is. However, increasing security requirements from Google has made this more complex than it was in the past, including finding and loading multiple certificates.Configure SMTP ServerThis has not changed from previous years: Administration » External Servers » Messaging Setup
Gmail supports two options:
When you enable either SSL or StartTLS, one of the following messages will be displayed:
Both of these options work with this method. Note that the Google Account option "Allow less secure apps" needs to be ON. [An alternative option using an application password has also been tested with ClearPass, but I have not replicated that yet; it would allow the less secure apps to be turned OFF.]Obtain Google CertificatesThis should be easy, and for all but one of them, it is.Google certificates are available from https://pki.goog/
Multiple CA certs are listed here. These are the three that worked in my environments.
The missing fourth cert required is the Gmail SMTP Server certificate. I used the following process to extract the Gmail SMTP cert:
openssl s_client -servername smtp.gmail.com -connect smtp.gmail.com:465 | openssl x509 -text
Certificate Trust ListThe four certificates must be added to the ClearPass Certificate Trust List and enabled (via Administration » Certificates » Trust List).
Click the certificate to see the details including dates.
You can have multiple SMTP certificates at once; you can disable or delete the old one after it is replaced.TestingFor basic email testing, go back to Administration » External Servers » Messaging Setup and send a test email.
You can also check email results in Monitoring » Event ViewerThe man reason for doing this in the first place, was to generate automatic email receipts for visitors who register at an event. This is an example of the email sent by ClearPass after a visitor registered.
TroubleshootingGeneral ConnectivityThis error indicates something is wrong with external connectivity, eg routing, DNS.
Test connectivity from the ClearPass CLI, logged in as appadminnetwork ping smtp.gmail.com
Google Account Blocked AccessGoogle had flagged a login attempt as suspicious and blocked access, including SMTP.
The Event Viewer had this error message: Use the Google account management tools to unblock the account, and test again.Firewall rules and settingsOne or more generic firewall/UTM rules was causing problems with Google accounts, including this one used by ClearPass.
Referenceshttps://www.linkedin.com/pulse/how-use-gmail-smtp-server-aruba-clearpass-prashant-harnal/ - How to use Gmail as SMTP server on Aruba ClearPass (2016)https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-use-Gmail-as-SMTP-server-on-CPPM/ta-p/185226 - How to use Gmail as SMTP server on CPPM (2014)
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.