Security

Is there any way to send an email in an enforcement policy using the Clearpass internal email server?

I see the Sendgrid API solution, but that seems like a lot of work with an email server sitting right there.

 

Thanks.

 

No, you'd need to use an API-based mail service.

feature request!


#AirheadsMobile

There is an active feature request for this.

Maybe a little off topic but what is the new process for feature requests? I believe the old ideas page is dead. I would like to 1+ this request.

https://github.com/aruba/clearpass-exchange-snippets/tree/master/messaging/clearpass-smtp

 

That's cool! testing it now...

Can I add variables from the CPPM console to those XML alerts? Like device host name, IP address, etc.?

HI tim, 

 

Would there be native capability to call Variables from the request in this email?  

Yes, you can use parameterized variables.

Is there a list of those variables that I could find?

Anything you see in access tracker.

Right, I got that, but wasn't sure what the variable names will be. Is there a cheat sheet for that?

%{<NAME>}

Same as the rest of the product.</NAME>

Forgive me, but I haven't done that anywhere else in the product.  Would this be the correct formatting in this case?

 

Also, is there a guide for the available variables?  In the little documentation I saw, there wasn't many that were the same.  IP seemed to be the only one. 

 

Thanks for your help! 

That is correct.

There is no guide as it’s literally %{variable}

Hey, Has this been tested in 6.8? We have just taken the plunge and I cannot get the emails flowing.

 

As a side note on the attributes, do you need to mape the attributes into the content using the attributes table eg

"Attribute Name" User "Attribute Value" - %{Endpoint:Username} then in the content you can use %{User} to call the attribute.

 

That is theory on my side as i cannot get emails yet :)

It also seems that you can't have more than one SMTP profile.  Once I have two, the second never fires.  Two different services, and the one that is heirarchically first, fires; however, the latter does not.  Thoughts?

---

@gdam12886 wrote:

Maybe a little off topic but what is the new process for feature requests? I believe the old ideas page is dead. I would like to 1+ this request.

---

https://innovate.arubanetworks.com/

HOw do I get access to that?  Says authentication failed? 

 

Is that just the feature request site?  

 

https://innovate.arubanetworks.com/ is the feature request site

Can this also be used in combination with Oauth.

I am unable to get the Enforcement profile working (i see it is triggered by the access tracker). What is the best place to find additional logging?

 

Did anyone got this working in Clearpass 6.8.3? I cannot upload the XML anymore. Get an Error in processing this request.

 

So I opened the XML and manually created the enforcement profile (http based enforcement) and context server action. Added this to the policy.

 

The access tracker shows the enforcement profile is triggered but there is no mail arriving. I tested the mail settings with a test mail, using the same address as is set in de context server action and that mail is arriving.

 

exporting the created xml shows quite a difference with the provided one.

 

Any input?

 

thanks,

Erik

Are you referring to a Context Server Actions?

I can't say for XML. I do know that my 6.7 JSON Content did not work on 6.8. It transpired that it did not like any <CR> in the "message" field.

 

Also to debug put the CPG Administration-->PluginManager-->API Framework in to API Logging="Trace". The explicit calls will then be reported in the CPG Application Logs. This is VERY processor intensive - only enable within a test environment.

 

Hi Dmellor,

 

Yes I do. 

 

no <CR> in the message body. I changed back to the standard with just the  sent to mail address changed (and removed cc and bcc)

 

We're still in implementing stage so I changed the API Logging as suggested. Where would I access those logs? 

 

thanks,

Erik

Found how to collect the logging but the tar files are impossible to get grip on without some sort of tooling.

 

I expected the API logging to be in the ClearPassGuestLogs but that tar file is empty.......

 

Both SystemLogs and PolicyManagerLogs contain so much information that I need to be guided where to look.

 

I noticed that the endpoint context server localhost has Authentication Method set as Basic. The generic http context server actions has the Authentication Method set as None. 

 

rgds,

Erik

 

 

I did get it resolved but not a straight answer. Spent a couple of weeks with dev/support going through it on 6.8. I am pretty sure they have changed the mail config in the background in 6.8. Anyway they sent me XML files to import. Looked similar to what I was doing before, the only difference these worked. support would not tell me exactly what was different to the origional but suggest thats your next step. It can work, but it seems support want to keep it to themselves :)

I tested adding security and using api_user and api_key but no luck. I will open a case, see if they will help me :)

 

Thanks for the input,

 

rgds,

Erik

 

 

 

. TAC was not able to help out when I reported the issue in the 6.8.3 version but Mail thru an Enforcement Profile was working in 6.9.5 and you could find it as a default Context Server Action.

It no longer works in 6.10 (tested 6.10.1 and 6.10.2 I have created the exact same CSA from a working 6.9.6 version into 6.10.2 but no luck. ANyone got this working in 6.10 and willing to post the config here?

Regards, Erik

------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP
------------------------------

Original Message:
Sent: Nov 04, 2019 03:49 PM
From: Jonathan Peck
Subject: Send email in enforcement policy?

I did get it resolved but not a straight answer. Spent a couple of weeks with dev/support going through it on 6.8. I am pretty sure they have changed the mail config in the background in 6.8. Anyway they sent me XML files to import. Looked similar to what I was doing before, the only difference these worked. support would not tell me exactly what was different to the origional but suggest thats your next step. It can work, but it seems support want to keep it to themselves :)

Hi.

 

I have tested in 6.8.3 and have it working and passing data from the client’s connection. 

This is my Configuration.

 

Endpoint Context Server Details

 

 

 

In the Content i used the Attributes that i set up in the image above.

I used '
' to create the line breaks in the email message

 

 

 

Enforcement Profile

 

 

 

I Attached the Enforcement Profile to one of my Policies and bounced one of the ports on my switches.

 

This is the Email Mail that I received when a device Connected to one of my Switches

 

 

 

Cheers

 

The Bald One

Thanks for the input Mr Bald.

 

I assume you kept the endpoint context server localhost default?

 

I received some input from TaC too, which looks exactly the same as what you provided but I don't see any difference with my setup. I may need to recheck some details.

 

For now this is on hold due to other commitments but I will be back on this project in Januari and will keep this thread updated with my findings.

 

rgds,

Erik

Hi Erike.

 

Yes that is correct i did keep the as localhost defaultCheers

 

The Bald One

Thanks for the screenshots, that gave me the last bit I was missing.

I'm getting the e-mail notices I was hoping for.

Hi Team,

I have done exactly the same in my configuration but i am unable to receive an email alert attach to the enforcement profile.  would you be able to help me in troubleshooting.  
Before the configuration i tested the email SMTP configuration and confirmed i am receiving email. 
Also my policy is correct and sending one enforcement profile to the device but don't see any email.

there is nothing to share with you because i followed the same step as above . Please help me if you don't mind.

------------------------------
Varun Sharma
------------------------------

Original Message:
Sent: Dec 03, 2019 05:42 PM
From: Matthew Sabin
Subject: Send email in enforcement policy?

Thanks for the screenshots, that gave me the last bit I was missing.

I'm getting the e-mail notices I was hoping for.

Please work with your Aruba partner or Aruba support if you need assistance in troubleshooting.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 26, 2021 01:32 AM
From: Varun Sharma
Subject: Send email in enforcement policy?

Hi Team,

I have done exactly the same in my configuration but i am unable to receive an email alert attach to the enforcement profile.  would you be able to help me in troubleshooting.  
Before the configuration i tested the email SMTP configuration and confirmed i am receiving email. 
Also my policy is correct and sending one enforcement profile to the device but don't see any email.

there is nothing to share with you because i followed the same step as above . Please help me if you don't mind.

------------------------------
Varun Sharma

Original Message:
Sent: Dec 03, 2019 05:42 PM
From: Matthew Sabin
Subject: Send email in enforcement policy?

Thanks for the screenshots, that gave me the last bit I was missing.

I'm getting the e-mail notices I was hoping for.

Hi Varun, Did you get this working?
Original Message:
Sent: Aug 26, 2021 01:32 AM
From: Varun Sharma
Subject: Send email in enforcement policy?

Hi Team,

I have done exactly the same in my configuration but i am unable to receive an email alert attach to the enforcement profile.  would you be able to help me in troubleshooting.  
Before the configuration i tested the email SMTP configuration and confirmed i am receiving email. 
Also my policy is correct and sending one enforcement profile to the device but don't see any email.

there is nothing to share with you because i followed the same step as above . Please help me if you don't mind.

------------------------------
Varun Sharma

Original Message:
Sent: Dec 03, 2019 05:42 PM
From: Matthew Sabin
Subject: Send email in enforcement policy?

Thanks for the screenshots, that gave me the last bit I was missing.

I'm getting the e-mail notices I was hoping for.

Original Message:
Sent: 6/13/2022 11:37:00 AM
From: magesh
Subject: RE: Send email in enforcement policy?

Hi Varun, Did you get this working?
Original Message:
Sent: Aug 26, 2021 01:32 AM
From: Varun Sharma
Subject: Send email in enforcement policy?

Hi Team,

I have done exactly the same in my configuration but i am unable to receive an email alert attach to the enforcement profile.  would you be able to help me in troubleshooting.  
Before the configuration i tested the email SMTP configuration and confirmed i am receiving email. 
Also my policy is correct and sending one enforcement profile to the device but don't see any email.

there is nothing to share with you because i followed the same step as above . Please help me if you don't mind.

------------------------------
Varun Sharma

Original Message:
Sent: Dec 03, 2019 05:42 PM
From: Matthew Sabin
Subject: Send email in enforcement policy?

Thanks for the screenshots, that gave me the last bit I was missing.

I'm getting the e-mail notices I was hoping for.