Wednesday, February 22, 2023

RADIUS via Clearpass on Palo Altos

This was arguably harder than it should have been to figure out.  Hopefully this will help speed up your initial deployment of Clearpass with Palo Alto Networks NGFWs.

Initial Device Configuration in CPPM

First, set up your NGFWs within CPPM.

  • Configuration > Network > Devices
    • Add your devices!  Save your RADIUS password for later, you'll need to enter it into your NGFWs.
  • Configuration > Network > Device Groups
    • Create a group for your NGFWs and add the devices into it.  For this exercise, we're naming it "Palo Altos"

Certificates!

CPPM

  • Administration > Certificates > Certificate Store
    • Service & Client Certificates
      • Create Certificate Signing Request
        • CN = cppm.local (or whatever, but this CN is referenced later in this post)
  • Get this signed by an internal CA or your favorite external CA
  • You may need to enable the CA in your trust list to allow EAP usage
  • Import Certificate
    • CN = cppm.local should appear

NGFW

  • Device > Certificate Management > Certificates
    • Import your CA root certificate, we're calling it "CA" 
    • Import the certificate generated above for CPPM, we're calling it "cppm-eap".
  • Device > Certificate Management > Certificate Profile
    • Name: clearpass
    • CA Certificates
      • "CA"
    • Set anything else that is appropriate for your installation.

CPPM Service

Next, create a CPPM service for this.

  • Configuration > Services
    • RADIUS Enforcement ( Generic )
    • Service
      • Service Rule
        • Connection NAD-IP-ADDRESS BELONGS_TO_GROUP Palo Altos
    • Authentication
      • Authentication Methods
        • [EAP PEAP]
        • [EAP MSCHAPv2]
        • [MSCHAP]
      • Authentication Sources
        • For this exercise, we're using [Admin User Repository] [Local SQL DB] but you should use the authentication source you use.
      • Service Certificate: CN=cppm.local
    • Roles
      • Role Mappings
        • Palo Alto Admins
          • Policy
            • Name: Palo Alto Admins
            • Default Role: PaloAlto-Admins
          • Mapping Rules:
            • Authentication:Source EQUALS [Admin User Respository] Role Name: PaloAlto-Admins
    • Enforcement
      • Palo Alto Login Enforcement Policy
        • Enforcement
          • Default Profile: [Deny Access Profile]
        • Rules
          • Tips:Role EQUALS PaloAlto-Admins, Action: Palo Alto RADIUS Admin
Move the RADIUS Service to where you deem appropriate.

Enabling RADIUS on NGFW

  • Log into your NGFW using SSH
    • tail follow yes mp-log authd.log
  • Device > Server Profiles > RADIUS
    • Profile Name: "fw.lab - server profile"
    • Authentication Protocol: PEAP-MSCHAPv2
    • Uncheck "Make Outer Identity Anonymous"
    • Certificate Profile: "clearpass"
    • Add your Clearpass servers, including the secret you previously used in Clearpass when creating the device.
  • Device > Authentication Profile
    • Profile Name: "fw.lab" -- this will show up in your authentication logs on Clearpass, set appropriately so you're not confused later
    • Type: RADIUS
    • Server Profile: "fw.lab - server profile"
    • Advanced
      • Allow List: all
  • Commit
  • Test and confirm, it's easiest via SSH.
    • Note: on the SSH window you have tailing the authd.log, you should see "Done with RADIUS (Code: 2)." This indicates a successful authentication.  Code 3 indicates failure issued by the RADIUS server, such as an incorrect username or authentication method.

Wednesday, May 18, 2022

Speed up your Juniper RE downloads with this one simple trick!

I’ve been constantly plagued with slow network transfer times during maintenance windows on FreeBSD based Junos installs, but didn’t think much of it assuming it was just due to slow flash.

It’s apparently partially a little bit of column A and a little bit of TCP tuning and there’s an apparent workaround:

start shell user root

sysctl net.inet.tcp.sendspace=2048000

sysctl net.inet.tcp.recvspace=2048000

kill `ps aux | grep inetd | grep sbin | awk '{ print $1 }'`

I haven’t had a chance to try this personally, but if it works, this would be huge.  People tell me this doesn’t apply to EVO and it may not work at all if the flash itself can’t support the speed, so try at your own risk.

Thursday, May 12, 2022

Okta and Clearpass and Mist, oh my!

After a few weeks of frustration and limited documentation, I was able to log into an SSID using Enterprise WPA2 with a certificate issued by Aruba ClearPass logging in with only Okta.  This shouldn't be as complicated or daunting as it was.

I make no guarantees that this will work correctly as software is an ever moving target, I can only attest that this worked when this blog post was published.  I may have missed a couple things, but this should further your progress.

First, Okta + ClearPass integration

Starting with Aruba ClearPass 6.10, native Okta integration has been removed in favor of a generic SAML integration.

Okta


Single Sign On URL: https://<clearpass server>/networkservices/saml2/sp/acs
Recipient URL: https://<clearpass server>/networkservices/saml2/sp/acs
Destination URL: https://<clearpass server>/networkservices/saml2/sp/acs
Audience Restriction: https://<clearpass server>/networkservices/saml2/sp/acs

Application username format: Okta username

Download the X.509 certificate, it will be used later

Clearpass

Policy Manager > Administration > Certificates > Trust List
➕ Add 
Certificate File > [ Choose the X.509 certificate saved earlier ]
Usage > SAML
Usage > Others
Add Certificate

Policy Manager > Configuration > Identity > Single Sign-On (SSO)
SAML SP Configuration
Identity Provider (IdP) URL: <provided by Okta as Identity Provider Single Sign-On URL>
Enable SSO for: ☑ Onboard; others aren't required but depends on your needs and outside the scope of this post.
Identity Provider (IdP) Signing Certificate
Select the Okta SAML certificate 

Second, ClearPass changes required

In order to get the certificates to properly authenticate against ClearPass, a couple changes are required.

Policy Manager > Configuration > Authentication > Methods 
[EAP TLS With CN Check] 
Copy
Cancel out, open "Copy of [EAP TLS With CN Check]"
  • Rename "Copy of [EAP TLS With CN Check]" to something significant like "Company Name [EAP TLS]", you'll use this later 
  •  Uncheck Authorization Required: Enable -- This function does a username/password check against your service which likely isn't defined as you're using Okta as your IdP and nothing locally is stored for the user

HTTPS certificate

Add your HTTPS certificate, this is a requirement for authenticating macOS clients newer than Lion 10.7. It may make sense to add signing capabilities to this, to allow Android devices to authenticate to RADIUS.

Policy Manager > Administration > Certificates > Certificate Store > Import Certificate > Server > Usage HTTPS(RSA)

As our certificate provider only provided the certificates in CRT format, I converted it to PKCS#12 to more easily import with the key.  Note, you should have a key passphrase otherwise ClearPass will choke, even with unencrypted keys.

openssl pkcs12 -inkey cppm.key -in cppm.crt -export -out cppm.pfx

This imported without issue after adding the intermediate certificate and enabling it (and its root) under Administration > Trust List.  

With ClearPass 6.10, support for ECC keys was added.  If you are only using RSA keys, you may have to disable the ECC key.

Server Certificates > Select Usage > HTTPS(ECC) Server Certificate > Disable

You should now be able to use Okta to log into ClearPass Onboard using the Okta chiclet.  It'll just drop you to the onboard administrative portal, nothing more.  I'll update this post later once I determine how to drop the user into the onboarding portal itself.  Feel free to hide the Okta chiclet if this situation isn't ideal, it has no bearing on the functionality of the onboarding portal as you'll see later.

Lastly, ClearPass + Mist integration

ClearPass

Network Profile

Onboard > Onboard > Configuration > Network Settings
Create new network
Name: Okta WiFi (or whatever)
Network Type: Both — Wired and Wireless -- This allows us to use this profile for wired 802.1x authentication as well
Security Version: WPA2 with AES
SSID: Whatever You Want
-> Next

Enable TTLS and PEAP, others aren't required, but shouldn't hurt to leave enabled
Inner Identity: MSCHAPv2
-> Next

iOS & macOS Authentication
Credentials: Certificate

💾 Save Changes

Configuration Profiles

Onboard > Onboard > Deployment and Provisioning > Configuration Profiles
Create new configuration profile
Name: IT Onboarding (or whatever)
Networks: Select your network, uncheck Example Network

💾 Save Changes

Provisioning Settings

Onboard > Onboard > Deployment and Provisioning > Provisioning Settings
Create new provisioning settings
Name: <Company Name> Onboard
Organization: <Company Name> IT

Identity
Certificate Authority: Local Certificate Authority
Signer: Onboard Certificate Authority
TLS Certificate Authority: Local Certificate Authority
Key Type: 2048-bit RSA - created by device
Unique Device Credentials: [X]

Authorization
Authorization Method: App Authentication — check using Aruba Application Authentication
Use SSO: [X]
Configuration Profile: IT Onboarding (or whatever you named it)
Maximum Devices: 0 will allow users to provision unlimited devices
> Next

Adjust settings appropriately for your organization, if necessary.
> Next

Page Name: device_provisioning_2 (name this something easy)
> Next

> Next

Apple Profiles
Display Name: [This should be a friendly name that won't scare users]
Profile Description: "This provisioning profile will allow you to connect to the wifi and wired networks at [Company name]"

Profile Signing:
Certificate Source: Generate using the Onboard CA [This should be fine, it'll install the root certificate in the profile, but you can use another source.]
Common Name: "Device Enrollment (Profile Signing)" [This should be fine, only your IT department would really see this.]
> Next

Onboard Client
Code-Signing Certificate: [This is where you can select your certificate from earlier, "None" may break Android enrollment.]
Provisioning Address: [Use your IP unless you're certain your DNS is functional]
Validate Certificate: Yes
Logo Image: [You can upload a PNG or JPG under Content Manager]
> Next

💾 Save Changes

Now to allow Mist to authenticate against ClearPass

Devices

Policy Manager > Configuration > Network > Devices
Add
Name: [Office name] [VLAN name]
Subnet address: 10.10.10.0/24 [Or wherever your APs live within your network]
RADIUS Shared Secret: [This should be noted as you'll be using this in Mist's portal]
Vendor Name: Cisco [They use some of Cisco's attributes]
Save

Services

Policy Manager > Configuration > Services
Add
Name: mist wireless
Type: 802.1X Wireless
Monitor Mode: Disabled
More Options: -

Service Rules
Match ALL of the following conditions:
1. Radius:IETF NAS-Port-Type EQUALS Wireless-802.11 (19)
2. Radius:IETF Service-Type BELONGS_TO Login-User (1), Framed-User (2), Authenticate-Only (8)
3. Connection SSID CONTAINS [your SSID]

Authentication Methods
1. "Company Name [EAP TLS]"
2. [EAP PEAP]
3. [EAP FAST]
4. [EAP TTLS]

Authentication Sources:
1. [Onboard Devices Repository] [Local SQL DB]
2. [Local User Repository] [Local SQL DB]

Mist

Organization > Wireless > Config Templates
Create Template
Name: Whatever you want
WLANs: Add WLAN

SSID: [Name used in the Network Settings page of ClearPass, this should match]
Security: WPA-3/EAP (802.1x)(+WPA-2)
RADIUS Authentication Servers:
Add Server
Hostname: [IP address of your ClearPass server]
Shared Secret: [RADIUS Shared Secret from the last step in ClearPass]
RADIUS Accounting Servers
☑ Enable Interim Accounting
Add Server
Hostname: [IP address of your ClearPass server]
Shared Secret: [RADIUS Shared Secret from the last step in ClearPass]

NAS Identifier: mist-[ssid]-{{DEVICE_NAME}--{{SITE_NAME}}
VLAN: Untagged
Save

Done, now onboard and test

Onboard your device (using Safari, it's easier due to Apple being Apple) at:
https://[clearpass hostname]/onboard/device_provisioning_2.php 
[device_provisioning_2 should be what you named it earlier, if you chose a different name]

This should push you through the Okta authentication flow and kick you straight to the certificate download, then profile download.  Install the certificate and profile (System Preferences > Profiles) and it should connect you to your new wireless network.  If a dialog asks for a username and password, just leave blank.

You can validate your authentication was successful in Policy Manager
Policy Manager > Monitoring > Live Monitoring > Access Tracker

This should show your Okta username with ACCEPT.
Click the request, input, it should also show you the certificate under "Computed Attributes"



Hopefully this walkthrough helped.  As of early May 2022, this post was accurate.

RADIUS via Clearpass on Palo Altos

This was arguably harder than it should have been to figure out.  Hopefully this will help speed up your initial deployment of Clearpass wit...