Security

 View Only
last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Removal of CPPM DATA interface (unconfigured it) causing auth sources to stop functionning

This thread has been viewed 28 times
  • 1.  Removal of CPPM DATA interface (unconfigured it) causing auth sources to stop functionning

    Posted Aug 28, 2023 08:29 PM

    As I understand it, if the DATA interface is configured on CPPM, it will interface and connect to services like LDAPS, SMTP delivery, AD joining, etc. It will also be the default interface to respond to radius requests unless a request is specifically made to the MGMT port. 

    We have a cluster of 2 CPPMs and we have decided to not use the DATA interface anymore (for all the reasons that it shouldn't have been configured in the first place) therefore we unconfigured them on PUB and SUB. This reset the default route back to the MGMT interface, all is well except...

    My AD auth sources are not behaving correctly, I get errors like invalid username/password (even though we have reset it on AD and retyped it on CPPM) or Error: Couldn't kickstart handshaking. 

    Both CPPMs are joined to the domain. 2 out of the 4 AD auth sources are working. The 2 that are working have a Bind DN that is not a UPN. The other two use an account. I have tested that account via the CLI using the "ad auth" command and it returns succesful. 

    Everything worked prior to the removal of the DATA interface obviously because that interface communicated to AD.

    Rebooting both CPPMs has not done anything. I have tried to reconfigure the AD Auth sources from scratch and have made sure the networking to get to those auth sources is correct. It discovers the netbios name but I can't search the Base DN. 

    We needed to add 2 more servers and those two are giving us that error Error: Couldn't kickstart handshaking. 

    Specifically.

    Unable to connect to the server.
    Error: Couldn't kickstart handshaking

    I am at a loss on how to resolve this....any ideas would be appreciated. 



  • 2.  RE: Removal of CPPM DATA interface (unconfigured it) causing auth sources to stop functionning

    Posted Aug 29, 2023 02:28 AM

    Hello,

    how did you remove the DATA interface configuration? 

    Via WEB GUI or via CLI?

    I had a similar problem when i removed the data port configuration via WEB GUI. What I did to resolve the issue was to set the configuration again on the GUI and go via CLI to reset the interface configuration.

    Hope this helps.




  • 3.  RE: Removal of CPPM DATA interface (unconfigured it) causing auth sources to stop functionning

    Posted Aug 29, 2023 10:28 AM

    I removed it from the webui. 

    I also removed the 2 auth sources that did not work and reconfigured them and I was able to search the tree. Saved the configuration. 

    Went back into to see if I can surf it again and I get incorrect username / password....but on the CLI it works...

    [appadmin@RSWIFICPPM01]# ad auth -u clearpass -n 11CHARCHIPEL
    Password:
    NT_STATUS_OK: The operation completed successfully. (0x0)
    [appadmin@RSWIFICPPM01]#

    EDIT: 6.11.1 version




  • 4.  RE: Removal of CPPM DATA interface (unconfigured it) causing auth sources to stop functionning

    MVP
    Posted Aug 29, 2023 02:26 PM

    Is this a physical server or virtual machine? IIRC with VMs there could be an issue with which MAC Address is the higher number? On my Lab VMS I enable both interfaces & CPPM uses the one it prefers. I have never configured both interfaces.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 5.  RE: Removal of CPPM DATA interface (unconfigured it) causing auth sources to stop functionning

    Posted Aug 29, 2023 02:43 PM

    Just a long shot, but do any of the certs being used to communicate to your auth sources use the IP address that was assigned to the DATA port in the SAN field? Just looking for a connection between the DATA port and the certs/SSL as that is usually where an failure to kickoff handshaking would occur.




  • 6.  RE: Removal of CPPM DATA interface (unconfigured it) causing auth sources to stop functionning

    Posted Aug 30, 2023 09:13 AM

    I opened a case and it actually ended up sending an incorrect password in the bindrequest. We modified the source back to use cleartext port 389 so we could see what was being sent. 

    Below is a pcap of the password it was sending. 


    The password was 16 characters long and only had an ! at the end of it. 

    We changed it to something more simple that would would match the password policy set in AD. 

    We were able to browse the tree finally. 

    Not sure why it was sending an incorrect password but that would need further investigation. 

    Changed the password to be 12 characters with a mix of alphanumeric and special characters and no issues. 
    Maybe it didn't like the 16 character length?