Security

last person joined: 15 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass V6.6.2 SMB version supported

  • 1.  Clearpass V6.6.2 SMB version supported

    Posted May 16, 2017 10:06 PM

    Hi,

     

    Anyone got any ideas if Clearpass V.6.6.2 is supporting SMB V2 or SMB V3?

     

    We tested disabling SMB V1 at the AD server and our Clearpass cannot join the AD server.

     

    Thanks.

     



  • 2.  RE: Clearpass V6.6.2 SMB version supported

    Posted May 16, 2017 10:15 PM
    When using MSCHAP-based authentication methods, SMBv1 to domain controllers is required.


  • 3.  RE: Clearpass V6.6.2 SMB version supported

    Posted May 17, 2017 09:45 AM

    SMBv1 is only required when MSCHAP-based authentication protocols are being used (username/password with PEAPv0/EAP-MSCHAPv2 as an example) and is only used between ClearPass and the domain controller(s). SMBv1 is not required on client devices for network authentication and should be disabled per Microsoft's recommendation.

     

    Most workflows and authentication methods used in ClearPass do not require domain join (and thus do not require SMB).

     

    Some examples include:

    • Modern certificate-based authentication via EAP-TLS
    • Captive portal workflows
    • Security Assertion Markup Language (SAML)
    • OAuth2
    • Cloud identity stores like Microsoft Azure Active Directory, Google G Suite, Ping and Okta Universal Directory

     

    Any questions can be directed to aruba-sirt@hpe.com

     

     



  • 4.  RE: Clearpass V6.6.2 SMB version supported

    Posted Jun 02, 2017 09:44 AM

    Oh dear I hope they sort that soon. 



  • 5.  RE: Clearpass V6.6.2 SMB version supported

    Posted Jul 26, 2017 04:50 PM

    Update: SMBv2 and SMBv3 support is available via a hotfix for ClearPass 6.6.7

     

    http://community.arubanetworks.com/t5/Security/ClearPass-Release-Announcements/m-p/303234#M32873



  • 6.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 02, 2017 10:49 PM
      |   view attached

    Cappalli,

    We applied that patch on our CPPM cluster and right after it finished installing our users lost the ability to log in using mschap on our Active directory solution.The service is configured with EAP-TLS/EAP-PEAP.

    We tried using 6 different domain controller with the same result.

    Any clue what can be the issue ?

    We are working with an Aruba support engineer but we can't find the solution yet.

    The output we get now is :

    [appadmin@ACO-CLP-HPE01]# ad auth -u xxxx -n yyyy
    Password:
    NT_STATUS_IO_TIMEOUT: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)
    Any way to uninstall the rollover the patch ?

    I attached a packet capture so maybe you can help me.

    Kind regards

     

    Attachment(s)

    zip
    packetdump.cap.zip   918K 1 version


  • 7.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 02, 2017 11:06 PM

    A quick glance at the packet capture seems to show that the DC is not responding to the SMB negotiation, but please work with TAC.

     

    This is your test server, correct?



  • 8.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 02, 2017 11:25 PM

    Cappalli,

    This is our production CPPM Cluster.

    We had to redirect all request from Aruba WLC to an internal radius solution so as to bypass ClearPass. Not a good thing..

    The strange situation is the other radius solution works perfect and it using the same AD servers and same credentials. I am sure it has something to do with the patch.

    So just to understand , before patch SMB version was only 1. Now it could be 3,21 ?

    Kind regards

     



  • 9.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 02, 2017 11:31 PM

    Correct, the SMB dialect will be negotitated starting with the highest. 

     

    Did you see this issue in your test environment as well?



  • 10.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 02, 2017 11:36 PM

    Nop, 

    Unfortunately , We just installed it on production via the GUI. We never thought the impact would be so high considering it was only a patch.

    Kind regards


    @cappalli wrote:

    Correct, the SMB dialect will be negotitated starting with the highest. 

     

    Did you see this issue in your test environment as well?


     

     

     

     



  • 11.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 02, 2017 11:47 PM

    Capalli,

    Do you now if there any way to force the dialect back to V1 ?

    Thank you for your patience.



  • 12.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 02, 2017 11:58 PM

    We only negotiate on our side. You would have to disable SMBv2 and SMBv3 on the domain controller side.



  • 13.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 03, 2017 12:06 AM

    Cappalli,

    The protocol documents that a non-SMB3-capable (2.002 or 2.1) should respond to VALIDATE_NEGOTIATE_INFO request with a status error of STATUS_NOT_SUPPORTED or STATUS_INVALID_DEVICE_REQUEST, the same error as for any unsupported/non-allowed FSCTL. Windows Server 2008 (SMB 2.002) and Windows Server 2008 R2 (SMB 2.1) return STATUS_FILE_CLOSED, instead.

     

    I am not and expert on AD but i understand the following.

    CPPM proposes negotiation and then VALIDATE_NEGOTIATE_INFO.

    After that i am getting exactly STATUS_FILE_CLOSED on my capture from AD side.

    Based on that no negotiation would be possible on AD side.

    Then what would be the next step if no negotiation is possible ?

    Maybe that is why is failing ?

    Thank you again


    @cappalli wrote:

    We only negotiate on our side. You would have to disable SMBv2 and SMBv3 on the domain controller side.





  • 14.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 03, 2017 12:11 AM

    Based on the packet capture, it doesn't look like the DC is replying at all. 



  • 15.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 03, 2017 12:20 AM
      |   view attached

    Cappalli,

    I do really believe it is responding

    I attached you the picture.

    AD --> 161.131.193.10

    CPPM-->10.252.255.251

    Best regards

     



  • 16.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 03, 2017 12:22 AM
      |   view attached

    @cappalli wrote:

    Based on the packet capture, it doesn't look like the DC is replying at all. 



    Cappalli,

    I do really believe it is responding

    I attached you the picture.

    AD --> 161.131.193.10

    CPPM-->10.252.255.251

    Best regards

     



  • 17.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 03, 2017 12:40 AM

    Please work with TAC. I don't have enough information about your environment.



  • 18.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 09, 2017 10:45 AM

    This is spreading like plaugue we have 6 customers with system down. We have cases open with TAC..if you find any workarounds do let us know.



  • 19.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 09, 2017 11:09 AM

    Could you share TAC ticket details.

     

    Regards,

    Pavan



  • 20.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 09, 2017 03:54 PM

    @PAVAN wrote:

    Could you share TAC ticket details.

     

    Regards,

    Pavan


    Hi Pavan the TAC case is 5322012059. Thanks



  • 21.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 10, 2017 07:35 AM

    After opening the required ports for SMBv2/v3, is everything working for you now?



  • 22.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 10, 2017 11:25 AM
    Hi Tim,

    Ok it seems like if the primary DNS server is down cppm doesn't failover to the secondary. Also had to remove firewall rules completely for things to work.

    Can you guys please clarify what ports should be open between cppm and AD as like previously pointed out this seems to be root of the problem something has changed in terms of required traffic that needs allowing.


  • 23.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 10, 2017 11:28 AM
    Here is the list of required ports for Active Directory from the Microsoft knowledgebase.

    https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx


  • 24.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 10, 2017 11:32 AM
      |   view attached

    For us adding the firewall rule as application based instead port based solved the issue. One of the app service posted on this image contains the high ports i mentioned on my previous posts which we didn't have on the old rule. If i am not wrong it is ms-netlogon.

    Regards

     



  • 25.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 10, 2017 11:46 AM

    We'll be updating the release notes and user guide with a link to Microsoft's documentation for their implementation.



  • 26.  RE: Clearpass V6.6.2 SMB version supported

    Posted Sep 22, 2017 10:12 AM

    @coremon

     

    I ran into this issue this week as well. Customer had disabled LM / NTLM / SMBv1. Its not documented that NTLMv2 is supported with clearpass, and I have requested this be udpated as well. 

     

    It looks like the SMBv2 / SMBv3 patch changed the implementation of Samba and now calls to AD require RPC_NETLOGON over 135/tcp. I would need to install a new instance of clearpass without the SMBv2 / SMBv3 patch to determine exactly where the RPC call happens. When comparing to my freeradius wireshark captures, the RPC calls appear to be happening over 445/tcp (SMB). 

     

    I was recieving the same Timeout Message as you stated as well in access tracker, and spent a few hours doing a review in exported debug logs between working and non-working. Nothign seemed to be out of the ordanary. 

     

    NT_STATUS_IO_TIMEOUT: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

     

    Due to the strict firewall rules, we had 135/tcp open, although before updating to SMBv2 / SMBv3 patch there were never any issues of authetnicaiton, even running on 6.6.7. I do know that mschapv2 used an ntlm wrapper over samba, and this was the legacy way of performing authetnicaiton with NTLM (windows AD). 

     

    To my understanding on reviewing Samba, since the ntlm_auth binary doesn't support NTLMv2, its required to make calls directly from Samba vs using the mschap ntlm wrapper. Due to trying to get a better understanding, I had attempted to recreate this in my lab with freeradius (what I typically use as a radius server). 

     

    After I had disabled LM / NTLM / SMBv1 on my AD server, I had tested with my freeradius server, and NTLM auth was failing in the debugs. This was due to freeradius not supporting NTLMv2 nativly. I did find forums from 2012 from the Samba Implementation that if I wanted to install from source code, I could change a couple flags on a function and I should be able to get it to work. Im not going to to go that extent to test, although this proved to me that NTLM was no longer being accepted by AD. 

     

    When I tested with the clearpass patch 6.6.7 and SMBv2 / SMBv3, I was successful with passing EAP-PEAP (mschapv2) info to AD. 

     

    Im not sure exactly how this was implemented under the hood with Clearpass, although there is deffiently a change on how samba interacts with Active Directory after the patch is applied. 

     

    In my caes when you would see 135/tcp for the RPC_NETLOGON call in wireshark, the AD server would reply wiht the high end RPC port and then when clearpass would attempt to send traffic, TCP retransmits were observed. 

     

    In access tracker this is when you would see the NT_STATUS_IO_TIMEOUT error code. Depending if the customer has static RPC or dynamic, its always easiest to just add the high end range. You can never be sure if customer will change those ports. 

     



  • 27.  RE: Clearpass V6.6.2 SMB version supported

    Posted Sep 22, 2017 12:52 PM

    @coremon

     

    I was able to validate with wireshark captures the process on how DCERPC took place both before and after the SMBv2 / SMBv3 patch. 

     

    Before Patch

    - DCERPC was used with ntlm wrapper inside mschap module by only connecting to 445/tcp. 

     

    After Patch

    - DCERPC was used with 135/tcp and 49152-65535/tcp. 445/tcp is no longer performing DCERPC for the user authenticaiton, and im not sure if the ntlm wrapper is needed anymore. 

    - It seems as DCERPC is still used with 445/tcp when the domain services are restarted, although it doesn't appear its happening for user auth.

    - It seems for both SMBv1 enabled / disabled, the same behavior is taken place and DCERPC no longer happens over 445/tcp for the user. 

     

     

    My baseline is only based on 4-5 wireshark captures amongst 6.6.5 and 6.6.7 with the SMB patch. There could be some slight variances from what I listed above. 

     

    I would love to still see the doucmentation by aruba that NTLMv2 is supported now, along with docuemntation on how the DCERPC ports changed. 



  • 28.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 09, 2017 11:24 AM

    Just to share with you.

    We had the same issue and I found after the patch the SMB version negotiated switched from V1 to V2(CCPM to DC). That is in our environment and may change for you. 

    SMBv2 works different than V1 and the traffic toward DC started to be blocked after the patch because now it is requiered high ports (49152 to 65535 ) from CCPM to DC. This caused the authentication to fail. After enabling the high port group everthing came back to normality again.

    My suggestion is to check if there exists any firewall between CCPM and AD and find for possible dropped traffic.

    I hope that helps you.

    Kind regards

     



  • 29.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 09, 2017 11:27 AM

    Atleast in 1 of the reported cases CPPM and the DC are in the same VLAN ..so that cant be the issue. When you say high ports you mean high source ports ? As I am assuming it still uses the same destination ports ? 

     

    I am waiting for my colleagure to update me on the TAC case numbers



  • 30.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 09, 2017 11:33 AM

    It was from CPPM to AD. Destination ports. After the patch we saw a lot of new session trying to be established from ClearPass to DC with destination ports (49152 to 65535 ). All of them dropped. After modifying the rule all worked again.

    Best Regards

     



  • 31.  RE: Clearpass V6.6.2 SMB version supported

    Posted Aug 09, 2017 11:36 AM

    Thanks..this is going to be fun ..tell me the firewall rules you need for CPPM "Yes please allow some random ports" :)

     

    Can someone from engineering actually tell us what was done to samba to add support for the v2/v3 was it simply upgraded or specific changes where done on smb.conf, so atleast I can make sense of whats going on.