Here are some notes on getting a basic ClearPass Captive Portal page to authenticate an unknown wired client connected to a Cisco Catalyst 3560. Before this is all done, make sure the NAD has been added to ClearPass.

First.. the general algorithm

• Mac Auth Service – Allow all
• Radius Request
• Authenticaiont Success
• Radius url-redirect VSAs sent
• User Sends HTTP traffic
• User redirect to ClearPass Portal
• User Sends Login from Portal
• Web Auth Occurs
• On Success- Radius CoA Terminate Session
• MAC Auth Service – Reauthenticate
• Radius Allow All Access VSA Sent

The first trick is to get the Wired Mac policy to classify. The default IETF attributes will not work, you must check access tracker for the correct inputs that are being sent from the authenticator (switch).

The second gotcha is the Use Cached Policy checkbox in the Enforcement tab. Its not really emphasized in the documentation, but after the web auth happens, the MAC caching policy will not pick up the role assigned unless you enable the cached policy check.

There are many pages on Aruba’s documentation sites that document the required switch configuration, the main configuration lines are the following:

aaa new-model

interface VlanXXX
ip address 192.168.X.XXX 255.255.255.0
ip helper-address <CP_IP>

dot1x system-auth-control

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting update periodic 1
aaa accounting dot1x default start-stop group radius

aaa server radius dynamic-author
client <CP IP> server-key aruba123!
port 3799
auth-type all

ip dhcp snooping
ip device tracking

ip access-list extended weblogin
deny tcp any host 192.168.3.241
permit tcp any any

radius-server host <CP_IP> key <RADIUS_KEY>

interface FastEthernet0/1
switchport access vlan X
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x max-req 3
dot1x max-reauth-req 3
spanning-tree portfast
!

Other useful switch config hints:

# Make sure the native VLAN is set for the trunk port

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan X
switchport trunk allowed vlan X
switchport mode trunk
!

ntp server 216.239.35.0 prefer

clock timezone CST -5 0
clock summer-time CDT recurring

enable password cisco
!
username cisco privilege 15 password 0 cisco

This will setup a Virtual Switch Fabric or VSF on two switches that support this feature. Tested on a two 2930F 8 port. Switches are named Core-1 and Core-2

#on Core-1...

config t

#disable all interfaces
interface 1-10 disable

#set port 8 as primary vsf uplink
vsf member 1 link 1 8

#specify vsf domain
vsf enable domain 1

#reload the switch, after reboot check vsf status
show vsf
show vsf link
show vsf member 1

#on Core-2 get mac address and model
show system

#provision core-2 as standby... all commands still done on Core-1.. #aka commander. Switch type is model number

vsf member 2 type <switch type> 
module 2 type <switch-type> mac-address <macaddress>

#on Core-2...
#disable all interfaces on core-2,except uplink to core-1 -> core-2
config t
interface 1-7,9,10 disable

#erase config and reload Core-2 after plugging in uplink to both switches 
erase-startup config

The following deletes all old kernels except for the current one in use.

sudo apt-get purge $(dpkg -l ‘linux-*’ | sed ‘/^ii/!d;/'”$(uname -r | sed “s/\(.*\)-\([^0-9]\+\)/\1/”)”‘/d;s/^[^ ]* [^ ]* \([^ ]*\).*/\1/;/[0-9]/!d’ | head -n -1) –assume-yes

You can find the open source program on MrS0m30n3’s Repository.

For window users, look for the installer.

Edit the /etc/samba/smb.conf file and add something similar

[secured]
 path = /samba/secured
 valid users = @smbgrp
 guest ok = no
 writable = yes
 browsable = yes

Afterwards, save the conf file and restart samba

sudo service smbd restart

Reference: https://www.howtoforge.com/samba-server-ubuntu-14.04-lts

 

“Throughout the last six months I’ve come across computers at my work with monitors that just wont display at all. Instead I get the message, “Monitor is in power save mode, activate using PC.” Now this is happening when the PC is booted and running. Beyond turning on the PC’s power, how can you activate the monitor? Is this message an indication of some other problem?”

As someone who routinely runs into this issue, I’ve also been wondering about this for the last few months. I bought an old Dell E176 on Ebay for console access. Recently when I needed it for upgrading a few computers, this became a issue. After reading through the forum posts, it’s clear that Dell monitors have problems with there memory settings (in the monitor’s hardware, not the PC) and coming out of power save mode.

Solution

Unplug the power cord for the monitor from the wall and wait for about 10 seconds, then replug-in the monitor. This should force the monitor to come out of sleep mode and re-calibrate it’s settings. Unplugging the VGA/DVI cable doesn’t do this.

Afterwards, set your desktop power settings to never sleep the monitor. Otherwise, do the aforementioned again.

 

Install the node modules and web driver

npm install protractor

then run

<project_directory>\node_modules\.bin\webdriver-manager update

And then running protractor against a conf.js file.

node_modules\.bin\protractor conf.js

I’m assuming the command prompt is opened in the project root.

Set-AuthenticodeSignature c:\foo.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesign)[0]

Reference: Signing Powershell Scripts

The newest version of Csf emails the admin everytime any error or warning. To disable, add entries to the csf.pignore file in /etc/csf.

Usually, adding the user account will disable most of the alerts. Example:

user:zimbra

You need to restart both csf and lsd afterwards.

csf -r

service lsd restart

Reference

• Lfd
• Another Thread