Author Archives: aek82

ClearPass and Mac Auth Expiration Time

The default ClearPass service for Mac Auth uses the MAC-Auth Expiry attribute for determining if the expire time for when the account is expires. However, the default expire timestamp in Guest uses the expiry_time attribute in the Guest User Repository, and the default ClearPass Service Template does not include the necessary Authorization sources to make Mac Auth service functional. Nor does the Mac-Auth Expiry ever get set by a default service template in the endpoints repository.

To make this work, setting the attribute in the endpoint repository is required.

For the post_auth profile, set the Mac-Auth Expiry

%{Authorization:[Time Source]:Now Plus 2hrs}

You can also use the Guest user repository Expire Time attribute.

%{Authorization:[Guest User Repository]:ExpireTime}

In order for these sources to be available, you must add the Time Source to the authorization tab of the service.

Mac authentication must be enabled or configured on ArubaOS. For Instant, its a checkbox in the security settings for the network configuration. For ArubaOS, you must setup mac authentication under AAA profiles.

Instant Mac Auth Setting
Controller Based WLAN AOS8

If adding a custom expiration length to an account is required, this can be done by editing the default expire after attribute in the Guest Registration form or adding a custom Time Attribute to the Time Source.

ClearPass Guest and Expire_after attribute
Custom Time Attribute to Time Source

Aruba ClearPass and Cisco Wired Guest Access

Here are some notes on getting a basic ClearPass Captive Portal page to authenticate an unknown wired client connected to a Cisco Catalyst 3560. Before this is all done, make sure the NAD has been added to ClearPass.

First.. the general algorithm

  • Mac Auth Service – Allow all
  • Radius Request
  • Authenticaiont Success
  • Radius url-redirect VSAs sent
  • User Sends HTTP traffic
  • User redirect to ClearPass Portal
  • User Sends Login from Portal
  • Web Auth Occurs
  • On Success- Radius CoA Terminate Session
  • MAC Auth Service – Reauthenticate
  • Radius Allow All Access VSA Sent

The first trick is to get the Wired Mac policy to classify. The default IETF attributes will not work, you must check access tracker for the correct inputs that are being sent from the authenticator (switch).

The second gotcha is the Use Cached Policy checkbox in the Enforcement tab. Its not really emphasized in the documentation, but after the web auth happens, the MAC caching policy will not pick up the role assigned unless you enable the cached policy check.

On Initial User Authentication, send the Radius VSAs
You should see access tracker assign this enforcement profile
Policy for Web Auth
Web Login Page Settings

There are many pages on Aruba’s documentation sites that document the required switch configuration, the main configuration lines are the following:

aaa new-model

interface VlanXXX
ip address 192.168.X.XXX
ip helper-address <CP_IP>

dot1x system-auth-control

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting update periodic 1
aaa accounting dot1x default start-stop group radius

aaa server radius dynamic-author
client <CP IP> server-key aruba123!
port 3799
auth-type all

ip dhcp snooping
ip device tracking

ip access-list extended weblogin
deny tcp any host
permit tcp any any

radius-server host <CP_IP> key <RADIUS_KEY>

interface FastEthernet0/1
switchport access vlan X
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab

authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x max-req 3
dot1x max-reauth-req 3
spanning-tree portfast

Other useful switch config hints:

# Make sure the native VLAN is set for the trunk port

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan X
switchport trunk allowed vlan X
switchport mode trunk

ntp server prefer

clock timezone CST -5 0
clock summer-time CDT recurring

enable password cisco
username cisco privilege 15 password 0 cisco

Setup VSF on a ArubaOS Switch

This will setup a Virtual Switch Fabric or VSF on two switches that support this feature. Tested on a two 2930F 8 port. Switches are named Core-1 and Core-2

#on Core-1...

config t

#disable all interfaces
interface 1-10 disable

#set port 8 as primary vsf uplink
vsf member 1 link 1 8

#specify vsf domain
vsf enable domain 1

#reload the switch, after reboot check vsf status
show vsf
show vsf link
show vsf member 1

#on Core-2 get mac address and model
show system

#provision core-2 as standby... all commands still done on Core-1.. #aka commander. Switch type is model number

vsf member 2 type <switch type> 
module 2 type <switch-type> mac-address <macaddress>

#on Core-2...
#disable all interfaces on core-2,except uplink to core-1 -> core-2
config t
interface 1-7,9,10 disable

#erase config and reload Core-2 after plugging in uplink to both switches 
erase-startup config

Ubuntu Kernel Clean up

The following deletes all old kernels except for the current one in use.

sudo apt-get purge $(dpkg -l ‘linux-*’ | sed ‘/^ii/!d;/'”$(uname -r | sed “s/\(.*\)-\([^0-9]\+\)/\1/”)”‘/d;s/^[^ ]* [^ ]* \([^ ]*\).*/\1/;/[0-9]/!d’ | head -n -1) –assume-yes

Upgrading ArubaOS from a USB port

If you have a small (less than 8 GB) USB drive available, upgrading AOS can be done via the USB port on a wireless controller. For the USB’s file system, FAT32 is an option for Windows users.

After booting into CPBoot (the second boot prompt)

#start the usb port

usb start 1

#check if usb port is reading

usb dev
# to check if the file system is readable..
dir 1
# ex. upgrade command
upgrade 0:0 1:1 Arubaimage/ArubaOS_72xx_6.4.4.4_53338


Reference: Airheads How To Upgrade a controller through the USB Port

Microsoft Service Fabric – Setting up a Linux Environment

Service Fabric was officially released about a year ago with the promise that it would be ported to Linux. The first Linux port, which is a preview, is out. You can find the directions on getting it up and running here.

I was able to setup Service Fabric using Ubuntu Server 16.01 LTS running on Virtual Box. A few notes about this Service Fabric release:

  • Allocate plenty of disk space. Running the service fabric cluster and installing everything (Azure CLI, Service Fabric SDK, Cluster Manager, OS) is 6.7 GB on my main user partition.
  • Starting the server cluster does take awhile, about 4-5 minutes on my machine. You have to wait a few minutes after the script finishes setting up.
  • The Yeoman Generator seen in the demo, azuresfcsharp, is in the Service Fabric SDK.