Sending Emails from ClearPass with Gmail
05-22-2018 11:46 PM - edited 05-23-2018 12:45 AM
This article explains how to configure ClearPass to send emails using Google Mail - Gmail. There are several older acticles in Airheads and beyond that explain the general process (see References at the end). Several years ago, using Gmail (with the modified port and access credentials) was just as easy as using a local SMTP relay still is. However, increasing security requirements from Google has made this more complex than it was in the past, including finding and loading multiple certificates.
Configure SMTP Server
This has not changed from previous years: Administration » External Servers » Messaging Setup
Gmail supports two options:
- SSL on port 465
- StartTLS on port 587
When you enable either SSL or StartTLS, one of the following messages will be displayed:
- SMTP Server certificate must be imported to Trust List as SSL setting is enabled
- SMTP Server certificate must be imported to Trust List as StartTLS setting is enabled
Both of these options work with this method. Note that the Google Account option "Allow less secure apps" needs to be ON. [An alternative option using an application password has also been tested with ClearPass, but I have not replicated that yet; it would allow the less secure apps to be turned OFF.]
Obtain Google Certificates
This should be easy, and for all but one of them, it is.
Google certificates are available from https://pki.goog/
Multiple CA certs are listed here. These are the three that worked in my environments.
The missing fourth cert required is the Gmail SMTP Server certificate. I used the following process to extract the Gmail SMTP cert:
- Load openssl on your workstation.
For Windows, see https://wiki.openssl.org/index.php/Binaries. There are several links from here; I used the pre-compiled executable "OpenSSL Binaries 1.0.2 Win32" from https://www.magsys.co.uk/delphi/magics.asp.
- Run this command:
openssl s_client -servername smtp.gmail.com -connect smtp.gmail.com:465 | openssl x509 -text(Commands from https://mind-business.com/en/get-ssl-certificate-smtp-server-add-java-truststore/ )
- Verify the downloaded certificate is OK. You may have to disable antivirus software; my antivirus software intercepted the lookup and added its own self-signed cert into the chain (which doesn't work).
- Check the expiration date; they appear to be valid for 90 days only. That means this SMTP cert will need to be replaced on a regular basis. When checked on 23-May-18, it had these dates
Not Before: May 8 14:40:26 2018 GMT
Not After : Jul 31 13:27:00 2018 GMT
- Create a certificate file from the output, including the BEGIN and END lines into an appropriate file, eg "smtp.gmail.com-EXP20180731.crt".
Certificate Trust List
The four certificates must be added to the ClearPass Certificate Trust List and enabled (via Administration » Certificates » Trust List).
Click the certificate to see the details including dates.
You can have multiple SMTP certificates at once; you can disable or delete the old one after it is replaced.
For basic email testing, go back to Administration » External Servers » Messaging Setup and send a test email.
You can also check email results in Monitoring » Event Viewer
The man reason for doing this in the first place, was to generate automatic email receipts for visitors who register at an event. This is an example of the email sent by ClearPass after a visitor registered.
This error indicates something is wrong with external connectivity, eg routing, DNS.
Test connectivity from the ClearPass CLI, logged in as appadmin
network ping smtp.gmail.com
Google Account Blocked Access
Google had flagged a login attempt as suspicious and blocked access, including SMTP.
The Event Viewer had this error message:
Use the Google account management tools to unblock the account, and test again.
Firewall rules and settings
One or more generic firewall/UTM rules was causing problems with Google accounts, including this one used by ClearPass.
https://www.linkedin.com/pulse/how-use-gmail-smtp-server-aruba-clearpass-prashant-harnal/ - How to use Gmail as SMTP server on Aruba ClearPass (2016)
https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-use-Gmail-as-SMTP-server-on-CPPM/ta-p/185226 - How to use Gmail as SMTP server on CPPM (2014)
Richard Litchfield, HPE Aruba
Network Solution Architect