Overview
This article explains how to configure ClearPass to send emails using Google Mail - Gmail. There are several older acticles in Airheads and beyond that explain the general process (see References at the end). Several years ago, using Gmail (with the modified port and access credentials) was just as easy as using a local SMTP relay still is. However, increasing security requirements from Google has made this more complex than it was in the past, including finding and loading multiple certificates.
Configure SMTP Server
This has not changed from previous years: Administration » External Servers » Messaging Setup
![CPPM+Gmail SMTP server.png CPPM+Gmail SMTP server.png](https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedInlineFiles/d3aeebae9c6340249f467fcb86c82dda_5b8d9aec69a348d89953c5c80c1559f0)
Gmail supports two options:
- SSL on port 465
- StartTLS on port 587
When you enable either SSL or StartTLS, one of the following messages will be displayed:
- SMTP Server certificate must be imported to Trust List as SSL setting is enabled
- SMTP Server certificate must be imported to Trust List as StartTLS setting is enabled
Both of these options work with this method. Note that the Google Account option "Allow less secure apps" needs to be ON. [An alternative option using an application password has also been tested with ClearPass, but I have not replicated that yet; it would allow the less secure apps to be turned OFF.]
Obtain Google Certificates
This should be easy, and for all but one of them, it is.
Google certificates are available from https://pki.goog/ ![CPPM+Gmail Google Trust Services.png CPPM+Gmail Google Trust Services.png](https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedInlineFiles/d3aeebae9c6340249f467fcb86c82dda_33dec3625e7a43d4807b3388d469b200)
Multiple CA certs are listed here. These are the three that worked in my environments.![CPPM+Gmail Google CA certs.png CPPM+Gmail Google CA certs.png](https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedInlineFiles/d3aeebae9c6340249f467fcb86c82dda_fa3f89d70ef247bf9be1228c7478ad54)
The missing fourth cert required is the Gmail SMTP Server certificate. I used the following process to extract the Gmail SMTP cert:
- Load openssl on your workstation.
For Windows, see https://wiki.openssl.org/index.php/Binaries. There are several links from here; I used the pre-compiled executable "OpenSSL Binaries 1.0.2 Win32" from https://www.magsys.co.uk/delphi/magics.asp. - Run this command:
openssl s_client -servername smtp.gmail.com -connect smtp.gmail.com:465 | openssl x509 -text
(Commands from https://mind-business.com/en/get-ssl-certificate-smtp-server-add-java-truststore/ ) - Verify the downloaded certificate is OK. You may have to disable antivirus software; my antivirus software intercepted the lookup and added its own self-signed cert into the chain (which doesn't work).
![CPPM+Gmail openssl cert download error.png CPPM+Gmail openssl cert download error.png](https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedInlineFiles/d3aeebae9c6340249f467fcb86c82dda_c19a187ea59d4f259e6a519082633980)
- Check the expiration date; they appear to be valid for 90 days only. That means this SMTP cert will need to be replaced on a regular basis. When checked on 23-May-18, it had these dates
Not Before: May 8 14:40:26 2018 GMT
Not After : Jul 31 13:27:00 2018 GMT - Create a certificate file from the output, including the BEGIN and END lines into an appropriate file, eg "smtp.gmail.com-EXP20180731.crt".
![CPPM+Gmail SMTP cert.png CPPM+Gmail SMTP cert.png](https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedInlineFiles/d3aeebae9c6340249f467fcb86c82dda_829e827d0ba648aface3278fd013c810)
Certificate Trust List
The four certificates must be added to the ClearPass Certificate Trust List and enabled (via Administration » Certificates » Trust List).
![CPPM+Gmail add cert.png CPPM+Gmail add cert.png](https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedInlineFiles/d3aeebae9c6340249f467fcb86c82dda_39127ba6650c42fdac6e53a1ae402f4b)
![CPPM+Gmail cert trust list.png CPPM+Gmail cert trust list.png](https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedInlineFiles/d3aeebae9c6340249f467fcb86c82dda_3e5522c6cb074987ad2c0230c3f502e6)
Click the certificate to see the details including dates.![CPPM+Gmail SMTP cert details.png CPPM+Gmail SMTP cert details.png](https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedInlineFiles/d3aeebae9c6340249f467fcb86c82dda_ca3844de69fa41fdaaa3a422bb19b76e)
You can have multiple SMTP certificates at once; you can disable or delete the old one after it is replaced.![CPPM+Gmail cert trust list with 5.png CPPM+Gmail cert trust list with 5.png](https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedInlineFiles/d3aeebae9c6340249f467fcb86c82dda_56e0e9d292ce457da2ed76dd588c5f69)
Testing
For basic email testing, go back to Administration » External Servers » Messaging Setup and send a test email.
![CPPM+Gmail send test email.png CPPM+Gmail send test email.png](https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedInlineFiles/d3aeebae9c6340249f467fcb86c82dda_a661beb920e04c32a394efe032e2860c)
You can also check email results in Monitoring » Event Viewer![CPPM+Gmail email event details.png CPPM+Gmail email event details.png](https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedInlineFiles/d3aeebae9c6340249f467fcb86c82dda_d464a8f97c414d2fb6b90737271b0a80)
The man reason for doing this in the first place, was to generate automatic email receipts for visitors who register at an event. This is an example of the email sent by ClearPass after a visitor registered.
![CPPM+Gmail example CPPM email.png CPPM+Gmail example CPPM email.png](https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedInlineFiles/d3aeebae9c6340249f467fcb86c82dda_8e5faac8d1b24372a6e1137f9e72c0fe)
Troubleshooting
General Connectivity
This error indicates something is wrong with external connectivity, eg routing, DNS.![CPPM+Gmail email event error.png CPPM+Gmail email event error.png](https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedInlineFiles/d3aeebae9c6340249f467fcb86c82dda_b0cadf6be12b49f9a62e1726ac3d96a0)
Test connectivity from the ClearPass CLI, logged in as appadmin
network ping smtp.gmail.com
Google Account Blocked Access
Google had flagged a login attempt as suspicious and blocked access, including SMTP.![CPPM+Gmail sign in attempt blocked.png CPPM+Gmail sign in attempt blocked.png](https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedInlineFiles/d3aeebae9c6340249f467fcb86c82dda_c7ee1423611a479899872ab72f67ac6a)
The Event Viewer had this error message:
![CPPM+Gmail email event error 534.png CPPM+Gmail email event error 534.png](https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedInlineFiles/d3aeebae9c6340249f467fcb86c82dda_90732243313646afb04c44bdf72cdc54)
Use the Google account management tools to unblock the account, and test again.
Firewall rules and settings
One or more generic firewall/UTM rules was causing problems with Google accounts, including this one used by ClearPass.
![CPPM+Gmail firewall errors.png CPPM+Gmail firewall errors.png](https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedInlineFiles/d3aeebae9c6340249f467fcb86c82dda_952f6d09844445e39db387d627464c90)
References
https://www.linkedin.com/pulse/how-use-gmail-smtp-server-aruba-clearpass-prashant-harnal/ - How to use Gmail as SMTP server on Aruba ClearPass (2016)
https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-use-Gmail-as-SMTP-server-on-CPPM/ta-p/185226 - How to use Gmail as SMTP server on CPPM (2014)