Search This Blog
Showing posts with label Aruba Networks. Show all posts
Showing posts with label Aruba Networks. Show all posts

Monday, December 30, 2019

Raspberry Pi Console server for Aruba AOS-CX switches



So, you got a bench of new Aruba AOS-CX switches, series 6300, and now you need to connect them to your network...



There are 2 ways to configure those, either using Aruba CX Bluetooth app or connecting using the console port.

The Aruba AOS-CX 63xx comes with USB type C console connector, which allow you to use any USB type C cable to your PC, but what about console server?



There are several USB type C console servers out there, but they are pretty expensive,
Here I use console server, for less than 150$, using Raspberry Pi and some cables.

First get a Raspberry Pi with all the required accessories (MicroSD with at least 8GB, power supply, case etc.)



You will also need 5 USB cables type A (male) to type C, those can be found easily.

After configuring the Raspberry Pi with all the basic settings (IP address, routes, enable remote access etc.), which is out of the scope of this post, let’s start the configuration of the console server functions.

Update and Install


sudo apt update
sudo apt upgrade -y
sudo apt-get install minicom -y
sudo apt install ser2net -y 


Allow user to dialout


Taking ownership of the serial port is as easy as adding the group dialout to your login id. You do that with the following command:

sudo usermod -a -G dialout pi

In the line above pi is the user you want to add a group to. If you are logged in as a different user, you'll have to use that username instead on the line above.

Serial Port discovery


Before we can configure ser2net we need to figure out where our serial adapters are listening. Normally serial ports are /dev/ttyS0 or ttyS1, but because we are using USB adapters they may show up as /dev/ttyUSB0 and ttyUSB1 etc.

Use this command to search for yours:

dmesg | grep tty


You’ll see something like this:

  

As you can see, I have my 1 port adapter plugged in, named ttyACM0.
With this information we can configure our ser2net.conf file.

Configuration


Create logging directory:

sudo mkdir /var/log/ser2net

When you install ser2net via apt it puts the configuration file in /etc. To edit it you can use nano with is already on your Pi:

sudo nano /etc/ser2net.conf

Inside you will find some default configuration lines at the bottom of the config file. We can easily edit these to meet our needs.

Let’s edit the ser2net configuration to get things going. The following is my configuration for each serial connection:

Login banner:

BANNER:aruba-b1:\r\nAruba Networks ERT Lab\r\n\r\nUNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\r\nYou must have explicit, authorized permission to access or configure this device.\r\nUnauthorized attempts and actions to access or use this system may result in civil and/or\r\ncriminal penalties.\r\nAll activities performed on this device are logged and monitored.\r\n\r\nYou are connected to port \p device \d [\s]\r\n\r\nHostname: AOS-CX 6300-06\r\n\r\n


Serial connection with trace file:

192.168.10.145,3000:telnet:600:/dev/ttyACM0:115200 8DATABITS NONE 1STOPBIT aruba-b1
TRACEFILE:tr1:/var/log/ser2net/p-Y-M-D-H:i:s.U


This should be configured for each serial connection, as the Raspberry Pi only got 4 USB ports, you will need to configure 4 of those.

Here is my ser2net.conf complete file:

BANNER:aruba-b1:\r\nAruba Networks ERT Lab\r\n\r\nUNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\r\nYou must have explicit, authorized permission to access or configure this device.\r\nUnauthorized attempts and actions to access or use this system may result in civil and/or\r\ncriminal penalties.\r\nAll activities performed on this device are logged and monitored.\r\n\r\nYou are connected to port \p device \d [\s]\r\n\r\nHostname: AOS-CX 6300-01\r\n\r\n

BANNER:aruba-b2:\r\nAruba Networks ERT Lab\r\n\r\nUNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\r\nYou must have explicit, authorized permission to access or configure this device.\r\nUnauthorized attempts and actions to access or use this system may result in civil and/or\r\ncriminal penalties.\r\nAll activities performed on this device are logged and monitored.\r\n\r\nYou are connected to port \p device \d [\s]\r\n\r\nHostname: AOS-CX 6300-02\r\n\r\n

BANNER:aruba-b3:\r\nAruba Networks ERT Lab\r\n\r\nUNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\r\nYou must have explicit, authorized permission to access or configure this device.\r\nUnauthorized attempts and actions to access or use this system may result in civil and/or\r\ncriminal penalties.\r\nAll activities performed on this device are logged and monitored.\r\n\r\nYou are connected to port \p device \d [\s]\r\n\r\nHostname: AOS-CX 6300-03\r\n\r\n

BANNER:aruba-b4:\r\nAruba Networks ERT Lab\r\n\r\nUNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\r\nYou must have explicit, authorized permission to access or configure this device.\r\nUnauthorized attempts and actions to access or use this system may result in civil and/or\r\ncriminal penalties.\r\nAll activities performed on this device are logged and monitored.\r\n\r\nYou are connected to port \p device \d [\s]\r\n\r\nHostname: AOS-CX 6300-04\r\n\r\n

TRACEFILE:tr1:/var/log/ser2net/usb-console-port1
192.168.10.145,3000:telnet:600:/dev/ttyACM0:115200 8DATABITS NONE 1STOPBIT aruba-b1 tr=tr1

TRACEFILE:tr2:/var/log/ser2net/usb-console-port2
192.168.10.145,3001:telnet:600:/dev/ttyACM1:115200 8DATABITS NONE 1STOPBIT aruba-b2 tr=tr2

TRACEFILE:tr3:/var/log/ser2net/usb-console-port3
192.168.10.145,3002:telnet:600:/dev/ttyACM2:115200 8DATABITS NONE 1STOPBIT aruba-b3 tr=tr3

TRACEFILE:tr4:/var/log/ser2net/usb-console-port4
192.168.10.145,3003:telnet:600:/dev/ttyACM3:115200 8DATABITS NONE 1STOPBIT aruba-b4 tr=tr4

Save that file and let’s make sure Ser2Net starts up automatically:
sudo nano /etc/rc.local

Add the following above exit 0:
/usr/local/sbin/ser2net -n -c /etc/ser2net.conf

In order to stop/start ser2net use the following command:
sudo /etc/init.d/ser2net [stop|start]


Connect


Now use your favourite terminal app to connect to the console server:






And connect:


Summary


There are many more enhancements which we can use or add to this console server, such wireless AP/client, to connect using wireless network (the Raspberry Pi comes with 2.4 GHz and 5.0 GHz IEEE 802.11ac wireless card) similar to AirConsole.

We can even power up the Raspberry Pi, using the auxiliary USB port, which can be found on the AOS-CX switch, if you run out of power outlets in your rack.

Reference:


https://www.packet6.com/configuring-your-raspberry-pi-as-a-console-server/


Posted by at No comments:
Labels: , ,

Wednesday, February 13, 2019

ClearPass API E-mail notifications


In the following post I will explain how to create an e-mail message from the ClearPass system for successful authentication (Authentication notification) or for failed authentication (Authentication alert).

First let's create our actions, for sending emails, using ClearPass API and JSON,
Go to Administration » Dictionaries » Context Server Actions, and click Add:

 

For Authentication Notification message:





And here is the content of the JSON:

{
            "to": ["jhon@dow.com"],
            "subject": "Succesful Authentication Connection",
            "message": "The following user has been authenticated at: \n%{Date:Date-Time} \nMAC Address: %{Connection:Client-Mac-Address-Colon} \nUser Name: %{Radius:IETF:User-Name} \nNAS-Identifier: %{Radius:IETF:NAS-Identifier} \nNAS-IP Address: %{Connection:NAD-IP-Address}, \nPort: %{Radius:IETF:NAS-Port-Id}, \nDevice Type: %{Authorization:[Endpoints Repository]:Device Name}"
}

Replace the To email address for relevant address, also note that you can add any information, from the RADIUS request, the this message.
In the end click Save.

For Authentication Alert message:




Next thing is to make sure that your ClearPass system is configured with messaging services, go to Administration » External Servers » Messaging Setup and fill the required information:


Note that in my lab I'm using Gmail for mail delivery (and how to configure Gmail is out of the scope for this post).

Now go to Configuration » Enforcement » Profiles and click Add:

  
Configure a new enforcement profile using HTTP Based Enforcement template, name it and enter some description:


On Target server select localhost and as action select the relevant endpoint context server that you have created earlier:


Click Save

Now use this enforcement profile for any service/enforcement policy you like in order to notify, via email, about an event

For example, for my secure wireless connection, where I'm using EAP-TLS/EAP-PEAP I have added the following notifications:


Were as the authentication status match user or machine, I'm sending authentication notification and where the authentication status is none, failed or authentication source is unavailable I'm sending failed authentication notification.

Email example:

The following user has been authenticated at:
2019-02-13 19:22:25
MAC Address: 00:35:44:31:74:2a
User Name: talm
NAS-Identifier: MLAB ArubaMC-VA-01
NAS-IP Address: 10.100.110.201,
Port: %{Radius:IETF:NAS-Port-Id},
Device Type: xiaomi NE-520G

There are plenty of e-mail messages you can configure for different scenarios using the following method.

Great thanks to Derin Mellor, from Aruba Networks, for the right guidance on this one.





Posted by at 4 comments:
Labels: , , , ,
Subscribe to: Posts (Atom)