Education - Australia / New Zealand

 View Only
last person joined: 22 days ago 

A local community of education customers across Australia / NZ. This group will be moderated by HPE Aruba Networking staff and kept up to date with any upcoming training or events that are relevant to the EDU space.
Back to discussions
Expand all | Collapse all

Sending Emails from ClearPass with Gmail

This thread has been viewed 47 times

  • 1.  Sending Emails from ClearPass with Gmail

    Posted May 23, 2018 02:46 AM

    Overview
    This article explains how to configure ClearPass to send emails using Google Mail - Gmail. There are several older acticles in Airheads and beyond that explain the general process (see References at the end). Several years ago, using Gmail (with the modified port and access credentials) was just as easy as using a local SMTP relay still is. However, increasing security requirements from Google has made this more complex than it was in the past, including finding and loading multiple certificates.

    Configure SMTP Server
    This has not changed from previous years: Administration » External Servers » Messaging Setup

     

    CPPM+Gmail SMTP server.png

     

    Gmail supports two options:

    • SSL on port 465
    • StartTLS on port 587

    When you enable either SSL or StartTLS, one of the following messages will be displayed:

    • SMTP Server certificate must be imported to Trust List as SSL setting is enabled
    • SMTP Server certificate must be imported to Trust List as StartTLS setting is enabled

    Both of these options work with this method. Note that the Google Account option "Allow less secure apps" needs to be ON. [An alternative option using an application password has also been tested with ClearPass, but I have not replicated that yet; it would allow the less secure apps to be turned OFF.]

    Obtain Google Certificates
    This should be easy, and for all but one of them, it is.

    Google certificates are available from https://pki.goog/ CPPM+Gmail Google Trust Services.png

     

    Multiple CA certs are listed here. These are the three that worked in my environments.CPPM+Gmail Google CA certs.png

     

     

    The missing fourth cert required is the Gmail SMTP Server certificate. I used the following process to extract the Gmail SMTP cert:

    1. Load openssl on your workstation.
      For Windows, see https://wiki.openssl.org/index.php/Binaries. There are several links from here; I used the pre-compiled executable "OpenSSL Binaries 1.0.2 Win32" from https://www.magsys.co.uk/delphi/magics.asp.
    2. Run this command:
      openssl s_client -servername smtp.gmail.com -connect smtp.gmail.com:465 | openssl x509 -text
      (Commands from https://mind-business.com/en/get-ssl-certificate-smtp-server-add-java-truststore/ )
    3. Verify the downloaded certificate is OK. You may have to disable antivirus software; my antivirus software intercepted the lookup and added its own self-signed cert into the chain (which doesn't work).
      CPPM+Gmail openssl cert download error.png

       

    4. Check the expiration date; they appear to be valid for 90 days only. That means this SMTP cert will need to be replaced on a regular basis. When checked on 23-May-18, it had these dates
      Not Before: May  8 14:40:26 2018 GMT
      Not After : Jul 31 13:27:00 2018 GMT
    5. Create a certificate file from the output, including the BEGIN and END lines into an appropriate file, eg "smtp.gmail.com-EXP20180731.crt".
      CPPM+Gmail SMTP cert.png

    Certificate Trust List
    The four certificates must be added to the ClearPass Certificate Trust List and enabled (via Administration » Certificates » Trust List).

    CPPM+Gmail add cert.png

     

    CPPM+Gmail cert trust list.png


    Click the certificate to see the details including dates.CPPM+Gmail SMTP cert details.png

     

    You can have multiple SMTP certificates at once; you can disable or delete the old one after it is replaced.CPPM+Gmail cert trust list with 5.png
    Testing
    For basic email testing, go back to Administration » External Servers » Messaging Setup and send a test email.

    CPPM+Gmail send test email.png

     

     

    You can also check email results in Monitoring » Event ViewerCPPM+Gmail email event details.png
    The man reason for doing this in the first place, was to generate automatic email receipts for visitors who register at an event. This is an example of the email sent by ClearPass after a visitor registered.

    CPPM+Gmail example CPPM email.png

    Troubleshooting
    General Connectivity
    This error indicates something is wrong with external connectivity, eg routing, DNS.CPPM+Gmail email event error.png

     

     

     

     

     

     

     

     

     

     

     

     

    Test connectivity from the ClearPass CLI, logged in as appadmin
    network ping smtp.gmail.com

     

    Google Account Blocked Access
    Google had flagged a login attempt as suspicious and blocked access, including SMTP.CPPM+Gmail sign in attempt blocked.png

     

     

    The Event Viewer had this error message:
     CPPM+Gmail email event error 534.png
    Use the Google account management tools to unblock the account, and test again.

    Firewall rules and settings
    One or more generic firewall/UTM rules was causing problems with Google accounts, including this one used by ClearPass.

    CPPM+Gmail firewall errors.png

    References
    https://www.linkedin.com/pulse/how-use-gmail-smtp-server-aruba-clearpass-prashant-harnal/ - How to use Gmail as SMTP server on Aruba ClearPass (2016)
    https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-use-Gmail-as-SMTP-server-on-CPPM/ta-p/185226 - How to use Gmail as SMTP server on CPPM (2014)