Security

last person joined: 32 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Downloadable User Roles CPPM and Aruba 2930F

Jump to Best Answer
  • 1.  Downloadable User Roles CPPM and Aruba 2930F

    Posted Mar 06, 2018 04:48 AM

    Having some problems getting DUR working between clearspass 6.7.1 and a 2930F switch running 16.5.4. Sat all yesterday with HP engineer who had everything set up in his lab at home with multiple configs that all worked whe running cppm 6.6.8 and 2930 16.4.x code

     

    We got local profiles working with clearpass passing back the name of the local profile to use. We then tried downloading same profile from cppm and never managed to get it working.

     

    local roles are 

    xb-as-2930-1(eth-1/11)# sh user-role
    Downloaded user roles are preceded by *

    User Roles

    Enabled : Yes
    Initial Role : mydefault-role

    Type Name
    ---------- ------------------------------------------------------
    local VOIP
    predefined denyall
    local roaming
    local mydefault-role

     

    macauth of a chromecast device against clearpas tries to use a downloadable role but fails and uses the local mydelault-role instead.

     

    With debugging turned on we see

     

    0006:18:31:41.03 CRYP mcppmTask:Unable to find root certificate to validate
    certificate against.
    0006:18:31:41.03 CRYP mcppmTask:Unable to find root certificate to validate
    certificate against.
    0006:18:31:41.03 CRYP mcppmTask:Unable to find root certificate to validate
    certificate against.
    0006:18:31:41.06 MAC mWebAuth:Failed to apply user role dup3518-3120-14_7Z4q to
    macAuth client B827EB63DF46 on port 1/11: user role is invalid.
    0006:18:31:41.06 MAC mWebAuth:Port: 1/11 MAC: b827eb-63df46 [2324] assigned
    role 'dup3518-3120-14_7Z4q' failed, attempting to apply initial role.
    0006:18:31:41.06 MAC mWebAuth:Port: 1/11 MAC: b827eb-63df46 RADIUS Attributes,
    vid: 237.
    0006:18:31:41.07 MAC mWebAuth:Port: 1/11 MAC: b827eb-63df46 [2324] client
    accepted with role 'mydefault-role'.
    0006:18:31:41.07 MAC mWebAuth:Port: 1/11 MAC: b827eb-63df46 reauthentication
    timeout 28800 seconds.
    0006:18:31:41.07 MAC mWebAuth:Port: 1/11 MAC: b827eb-63df46 client successfully
    placed into vid: 237.
    W 03/06/18 09:39:20 05620 dca: ST1-CMDR: macAuth client B827EB63DF46 on port
    1/11 assigned to initial role as downloading failed for user role
    dup3518-3120-14.

     

    The clearpass enforcement profile we;re trying to use is shown below, but the switch never seems toi be able to download it. Wondering if the crypt messages shown might have something to do with it.

     

    Also, strangely enough even though the seitch and cppm are configured for CoA on cleaerpass I never get the option to invoke a CoA c=ommand against this switch. We're using radius to authenticate devids and users o.k. against cppm so i know clearpass is set up correctly a is the switch

    Name Value
    1.Radius:Hewlett-Packard-EnterpriseHPE-CPPM-Role=

    aaa authorization user-role name "fred"
    policy "PERMIT-ALL"
    vlan roaming_vlan

     

    Someone else mentioned it might be the vlan ( tried vlan-name ... as well) statement. Doesn't matter if i remvoe the vlan statement  completely , still doesn't work.

     

    Knmow I;ve got the root and intermediate certs used by cppm on the switch

     

    xb-as-2930-1(eth-1/11)# sh crypto pki ta-
    Profile Name Profile Status CRL Configured OCSP Configured
    --------------- ------------------------------ --------------- ---------------
    IDEVID_ROOT Root Certificate Installed
    COMODO_CA Root Certificate Installed No No
    GEOTRUST_CA Root Certificate Installed No No
    ARUBA_CA Root Certificate Installed No No
    ClearP-X-B Root Certificate Installed No No
    ADDTRUST Root Certificate Installed No No

     

    Note:- Added the ADDTRUST one before I notivced the COMODO_CA  had the same cert in there

    anyone got DUR worknig on 6.7.1/16.5.4 ?

     

    Rgds

    Alex



  • 2.  RE: Downloadable User Roles CPPM and Aruba 2930F

    Posted Mar 07, 2018 11:42 AM

    Yes, I have this implemented with ClearPass 6.7.1 and WC.16.05.0004 on the switch.

     

    From the logs, I can't conclude differently than that the root CA for your ClearPass certificate has not been uploaded correctly to the switch.

     

    Did you follow the steps from http://community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/td-p/298161 ?

     

    What I found useful is to browse to ClearPass on HTTPS, then inspect the certificate there, go into the chain, select the root, and use the middle tab (Windows) to save it to a file (Base64). In that case, you have the correct root for sure.



  • 3.  RE: Downloadable User Roles CPPM and Aruba 2930F

    Posted Mar 08, 2018 06:09 AM

    o.k. so just to make sure,

    went to clearpass, certificet trust store and downlpoaded the intemediate cert from there. Also downloaded the root CA as well. Copied them into my tftp server

     

    Copied the intermediate into ClearP-X-B

    to check

    sh crypto pki ta-profile ClearP-X-B

    gives 
    Profile Name Profile Status CRL Configured OCSP Configured
    --------------- ------------------------------ --------------- ---------------
    ClearP-X-B 1 certificate installed No No

    Trust Anchor:
    Version: 3 (0x2)
    Serial Number:
    2f:21:28:08:15:d6:ed:d8:f9:3e:63:a0:f6:29:e7:40
    Signature Algorithm: sha256withRSAEncryption
    Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
    Validity
    Not Before: Dec 22 00:00:00 2014 GMT
    Not After : May 30 10:48:38 2020 GMT
    Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA-256 Organization Validation Secure Server CA
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
    Modulus (2048 bit):

     

    However the cert store doesn't actually have the AddTrust  root CA there that this cert chais to so created 

     

    crypto pki ta-profile ADDTRUST_CA

     

    and uploaded the root cert into it, then did

    sh crypto pki ta-profile ADDTRUST_CA
    Profile Name Profile Status CRL Configured OCSP Configured
    --------------- ------------------------------ --------------- ---------------
    ADDTRUST_CA 1 certificate installed No No

    Trust Anchor:
    Version: 3 (0x2)
    Serial Number: 1 (0x1)
    Signature Algorithm: sha1withRSAEncryption
    Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
    Validity
    Not Before: May 30 10:48:38 2000 GMT
    Not After : May 30 10:48:38 2020 GMT
    Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)

     

    Power cycled the device and still get 

    certificate against.
    0001:20:52:12.18 CRYP mcppmTask:Unable to find root certificate to validate
    certificate against.
    0001:20:52:12.54 CRYP mcppmTask:Unable to find root certificate to validate
    certificate against.
    0001:20:52:12.54 CRYP mcppmTask:Unable to find root certificate to validate
    certificate against.
    0001:20:52:12.56 MAC mWebAuth:Failed to apply user role dup35182-3121-2_7Z4q to
    macAuth client B827EB63DF46 on port 2/11: user role is invalid.
    0001:20:52:12.56 MAC mWebAuth:Port: 2/11 MAC: b827eb-63df46 [22] assigned role
    'dup35182-3121-2_7Z4q' failed, attempting to apply initial role.

     

     



  • 4.  RE: Downloadable User Roles CPPM and Aruba 2930F
    Best Answer

    Posted Mar 09, 2018 05:23 AM

    Sigh!

     

    Look at the error log and when it says unable to fine root certificat to validage against ... it really does mean that.

     

    Sorted ... when downloading the cert to install on the switch, it helps if you don;t use the intermediate CA from the RADIUS service but the one from the HTTPS service.

     

    Strangely enough once I'd downloaded that one everything worked ....

     

    Now have 

     

    class ipv4 "IP-ANY-ANY"

    10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

    exit

     

    policy user "PERMIT-ALL"

    10 class ipv4 "IP-ANY-ANY" action permit

    exit

     

    aaa authorization user-role name "roaming_dup”

    policy "PERMIT-ALL"

    reauth-period 28800

    vlan-name "roaming_vlan"

    exit

     

    working from Clearpass to 2930M switch stack ... just before I wiped th estach config and started again!

     

    Alex



  • 5.  RE: Downloadable User Roles CPPM and Aruba 2930F

    Posted Mar 09, 2018 06:11 AM

    ...