Security

Having some problems getting DUR working between clearspass 6.7.1 and a 2930F switch running 16.5.4. Sat all yesterday with HP engineer who had everything set up in his lab at home with multiple configs that all worked whe running cppm 6.6.8 and 2930 16.4.x code

We got local profiles working with clearpass passing back the name of the local profile to use. We then tried downloading same profile from cppm and never managed to get it working.

local roles are 

xb-as-2930-1(eth-1/11)# sh user-role
Downloaded user roles are preceded by *

User Roles

Enabled : Yes
Initial Role : mydefault-role

Type Name
---------- ------------------------------------------------------
local VOIP
predefined denyall
local roaming
local mydefault-role

macauth of a chromecast device against clearpas tries to use a downloadable role but fails and uses the local mydelault-role instead.

With debugging turned on we see

0006:18:31:41.03 CRYP mcppmTask:Unable to find root certificate to validate
certificate against.
0006:18:31:41.03 CRYP mcppmTask:Unable to find root certificate to validate
certificate against.
0006:18:31:41.03 CRYP mcppmTask:Unable to find root certificate to validate
certificate against.
0006:18:31:41.06 MAC mWebAuth:Failed to apply user role dup3518-3120-14_7Z4q to
macAuth client B827EB63DF46 on port 1/11: user role is invalid.
0006:18:31:41.06 MAC mWebAuth:Port: 1/11 MAC: b827eb-63df46 [2324] assigned
role 'dup3518-3120-14_7Z4q' failed, attempting to apply initial role.
0006:18:31:41.06 MAC mWebAuth:Port: 1/11 MAC: b827eb-63df46 RADIUS Attributes,
vid: 237.
0006:18:31:41.07 MAC mWebAuth:Port: 1/11 MAC: b827eb-63df46 [2324] client
accepted with role 'mydefault-role'.
0006:18:31:41.07 MAC mWebAuth:Port: 1/11 MAC: b827eb-63df46 reauthentication
timeout 28800 seconds.
0006:18:31:41.07 MAC mWebAuth:Port: 1/11 MAC: b827eb-63df46 client successfully
placed into vid: 237.
W 03/06/18 09:39:20 05620 dca: ST1-CMDR: macAuth client B827EB63DF46 on port
1/11 assigned to initial role as downloading failed for user role
dup3518-3120-14.

The clearpass enforcement profile we;re trying to use is shown below, but the switch never seems toi be able to download it. Wondering if the crypt messages shown might have something to do with it.

Also, strangely enough even though the seitch and cppm are configured for CoA on cleaerpass I never get the option to invoke a CoA c=ommand against this switch. We're using radius to authenticate devids and users o.k. against cppm so i know clearpass is set up correctly a is the switch

Someone else mentioned it might be the vlan ( tried vlan-name ... as well) statement. Doesn't matter if i remvoe the vlan statement  completely , still doesn't work.

Knmow I;ve got the root and intermediate certs used by cppm on the switch

xb-as-2930-1(eth-1/11)# sh crypto pki ta-
Profile Name Profile Status CRL Configured OCSP Configured
--------------- ------------------------------ --------------- ---------------
IDEVID_ROOT Root Certificate Installed
COMODO_CA Root Certificate Installed No No
GEOTRUST_CA Root Certificate Installed No No
ARUBA_CA Root Certificate Installed No No
ClearP-X-B Root Certificate Installed No No
ADDTRUST Root Certificate Installed No No

Note:- Added the ADDTRUST one before I notivced the COMODO_CA  had the same cert in there

anyone got DUR worknig on 6.7.1/16.5.4 ?

Rgds

Alex

Yes, I have this implemented with ClearPass 6.7.1 and WC.16.05.0004 on the switch.

From the logs, I can't conclude differently than that the root CA for your ClearPass certificate has not been uploaded correctly to the switch.

Did you follow the steps from http://community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/td-p/298161 ?

What I found useful is to browse to ClearPass on HTTPS, then inspect the certificate there, go into the chain, select the root, and use the middle tab (Windows) to save it to a file (Base64). In that case, you have the correct root for sure.

o.k. so just to make sure,

went to clearpass, certificet trust store and downlpoaded the intemediate cert from there. Also downloaded the root CA as well. Copied them into my tftp server

Copied the intermediate into ClearP-X-B

to check

sh crypto pki ta-profile ClearP-X-B

gives 
Profile Name Profile Status CRL Configured OCSP Configured
--------------- ------------------------------ --------------- ---------------
ClearP-X-B 1 certificate installed No No

Trust Anchor:
Version: 3 (0x2)
Serial Number:
2f:21:28:08:15:d6:ed:d8:f9:3e:63:a0:f6:29:e7:40
Signature Algorithm: sha256withRSAEncryption
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
Validity
Not Before: Dec 22 00:00:00 2014 GMT
Not After : May 30 10:48:38 2020 GMT
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA-256 Organization Validation Secure Server CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):

However the cert store doesn't actually have the AddTrust  root CA there that this cert chais to so created 

crypto pki ta-profile ADDTRUST_CA

and uploaded the root cert into it, then did

sh crypto pki ta-profile ADDTRUST_CA
Profile Name Profile Status CRL Configured OCSP Configured
--------------- ------------------------------ --------------- ---------------
ADDTRUST_CA 1 certificate installed No No

Trust Anchor:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1withRSAEncryption
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
Validity
Not Before: May 30 10:48:38 2000 GMT
Not After : May 30 10:48:38 2020 GMT
Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)

Power cycled the device and still get 

certificate against.
0001:20:52:12.18 CRYP mcppmTask:Unable to find root certificate to validate
certificate against.
0001:20:52:12.54 CRYP mcppmTask:Unable to find root certificate to validate
certificate against.
0001:20:52:12.54 CRYP mcppmTask:Unable to find root certificate to validate
certificate against.
0001:20:52:12.56 MAC mWebAuth:Failed to apply user role dup35182-3121-2_7Z4q to
macAuth client B827EB63DF46 on port 2/11: user role is invalid.
0001:20:52:12.56 MAC mWebAuth:Port: 2/11 MAC: b827eb-63df46 [22] assigned role
'dup35182-3121-2_7Z4q' failed, attempting to apply initial role.

Sigh!

Look at the error log and when it says unable to fine root certificat to validage against ... it really does mean that.

Sorted ... when downloading the cert to install on the switch, it helps if you don;t use the intermediate CA from the RADIUS service but the one from the HTTPS service.

Strangely enough once I'd downloaded that one everything worked ....

Now have 

class ipv4 "IP-ANY-ANY"

10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

exit

policy user "PERMIT-ALL"

10 class ipv4 "IP-ANY-ANY" action permit

exit

aaa authorization user-role name "roaming_dup”

policy "PERMIT-ALL"

reauth-period 28800

vlan-name "roaming_vlan"

exit

working from Clearpass to 2930M switch stack ... just before I wiped th estach config and started again!

Alex

...