ClearPass API E-mail notifications

In the following post I will explain how to create an e-mail message from the ClearPass system for successful authentication (Authentication notification) or for failed authentication (Authentication alert).

First let's create our actions, for sending emails, using ClearPass API and JSON,

Go to Administration » Dictionaries » Context Server Actions, and click Add:

 

For Authentication Notification message:

And here is the content of the JSON:

{             "to": ["jhon@dow.com"],             "subject": "Succesful Authentication Connection",             "message": "The following user has been authenticated at: \n%{Date:Date-Time} \nMAC Address: %{Connection:Client-Mac-Address-Colon} \nUser Name: %{Radius:IETF:User-Name} \nNAS-Identifier: %{Radius:IETF:NAS-Identifier} \nNAS-IP Address: %{Connection:NAD-IP-Address}, \nPort: %{Radius:IETF:NAS-Port-Id}, \nDevice Type: %{Authorization:[Endpoints Repository]:Device Name}" }

Replace the To email address for relevant address, also note that you can add any information, from the RADIUS request, the this message.

In the end click Save.

For Authentication Alert message:

Next thing is to make sure that your ClearPass system is configured with messaging services, go to Administration » External Servers » Messaging Setup and fill the required information:

Note that in my lab I'm using Gmail for mail delivery (and how to configure Gmail is out of the scope for this post).

Now go to Configuration » Enforcement » Profiles and click Add:

  

Configure a new enforcement profile using HTTP Based Enforcement template, name it and enter some description:

On Target server select localhost and as action select the relevant endpoint context server that you have created earlier:

Click Save

Now use this enforcement profile for any service/enforcement policy you like in order to notify, via email, about an event

For example, for my secure wireless connection, where I'm using EAP-TLS/EAP-PEAP I have added the following notifications:

Were as the authentication status match user or machine, I'm sending authentication notification and where the authentication status is none, failed or authentication source is unavailable I'm sending failed authentication notification.

Email example:

The following user has been authenticated at:

2019-02-13 19:22:25

MAC Address: 00:35:44:31:74:2a

User Name: talm

NAS-Identifier: MLAB ArubaMC-VA-01

NAS-IP Address: 10.100.110.201,

Port: %{Radius:IETF:NAS-Port-Id},

Device Type: xiaomi NE-520G

There are plenty of e-mail messages you can configure for different scenarios using the following method.

Great thanks to Derin Mellor, from Aruba Networks, for the right guidance on this one.

HPE Comware 7 using TACACS with Aruba ClearPass Policy Manager

In the following post I will demonstrate how to configure HPE Comware 7 switch for TACACS AAA services with Aruba ClearPass policy manager and Microsoft Active Directory.

Network Topology

Device/Host	Version	IP Address	VLAN ID
Aruba ClearPass Policy Manager	6.6.5.93747	192.168.0.19	1
HPE FlexNetwork 5510HI JH148A	5510hi-cmw710-system-r1308-US.bin	192.168.0.222	1
Microsoft Windows Server	2012 R2 running AD/CA/DHCP/DNS services	192.168.0.22	1
Microsoft Windows 7	Professional running SecureCRT	192.168.0.16	1

Switch configuration

First configure hwtacacs scheme:

hwtacacs scheme CPPM  primary authentication 192.168.0.19  primary authorization 192.168.0.19  primary accounting 192.168.0.19  key authentication simple <PASSWORD>  key authorization simple <PASSWORD>  key accounting simple <PASSWORD>  user-name-format without-domain  nas-ip 192.168.0.222 #

Next configure domain:

domain mlab.local  authentication login hwtacacs-scheme CPPM local  authorization login hwtacacs-scheme CPPM local  accounting login hwtacacs-scheme CPPM  accounting command hwtacacs-scheme CPPM  authorization command hwtacacs-scheme CPPM #

In the following domain configuration we authenticate/authorize and account every login with the CPPM (ClearPass Policy Manager) and also authorize and account every command (which are optional)

Configure the use for default domain:

domain default enable mlab.local

Configure default role:

role default-role enable

Last configure user interface access:

line vty 0 63  authentication-mode scheme  user-role network-operator  command authorization  command accounting #

Aruba ClearPass Policy Manager Configuration

Launch the CPPM web interface and go to Configuration -> Network -> Devices and click on Add.

Type in the device name, IP address, TACACS shared secret (the same password as we configured in the switch configuration under hwtacacs scheme) and choose H3C as vendor name:

Click Add to finish.

Next go to Administration -> Dictionaries -> TACACS+ Services, check the shell dictionary and click Export:

An XML file will be saved, open it with text editor (such Notepad++) and add the following two lines:

<ServiceAttribute dataType="Unsigned32" dispName="Privilege level" name="priv-lvl"/> <ServiceAttribute dataType="Unsigned32" dispName="Roles" name="roles"/>

Shown here marked in yellow:

Next go to Configuration -> Identity -> Roles and click Add.

As roles are only tags on CPPM add two roles – one for network admin and the other for network operator:

Each role will have different privileges while login into the switch.

Now go to Configuration -> Identity -> Role Mappings and click Add,

In the following example I’m using the MLAB active directory as authentication/authorization source and looking at the department attribute (from the AD) to map a role, an account from the IT department will receive MLAB Network-admin role while an account from the helpdesk department will receive MLAB Network-operator role:

Note that the department attribute should be enabled under the authentication source -> attributes.

Next go to Configuration -> Enforcement -> Profiles and click Add

Under template select TACACS+ Based Enforcement and type the profile name:

Click Next

Under Services, select Privilege 15, add Shell for Selected Services and add two following two Service Attributes:

Click Next

Check Enable to permit unmatched commands:

Here we can select the commands that we permit or deny, for the following profile, by clicking Add and type in the required commands.

Click Finish

Repeat this step for the network operator enforcement profile but this time set the privilege level to 1 and role to network-operator:

Next go to Configuration -> Enforcement -> Policies and click Add,

Type in the Enforcement policy name, select TACACS+ as Enforcement Type and select TACACS Deny Profile as Default Profile:

Click Next

Under Roles click Add Rule, select Type=Tips, Name=Role, Operator=EQUALS and Value=MLAB Network-admin. Select Enforcement Profile Comware7_Network-Admin:

Add one more rule for network-operator:

Click Finish

Last we need to configure the TACACS service, go to Configuration -> Services and click Add, Choose TACACS+ Enforcement, type in the service name, check Authorization and add service rules as required, here in this example I used TACACS protocol as match for this service:

Click Next

Under Authentication select the authentication source, in this example I choose the AD:

Click Next

Under Authorization select the authorization source, again here I choose the AD:

Click Next

Under Roles choose the role mapping [MLAB TACACS Role mapping]:

Click Next

Under Enforcement choose the enforcement policy [MLAB TACACS Enforcement]:

Click Next

In the Summary tab click Finish.

Go to Configuration -> Services and reorder the services in order that TACACS service will be first:

Verification and information

Under Monitoring -> Live Monitoring -> Access Tracker we can see the authentication and authorization commands:

Under Monitoring -> Live Monitoring -> Accounting we can see the start/stop session time and the command that issued by each user:

 

Next post i will explain how to configure Wired 802.1x policy along with web health check and MAC authentication.