Computer and IT knowledge - things to know - radius
number of matches found: 38 [filter = radius]
rpm directory: /usr/src/packages/RPMS/s390/freeradius-1.0.0-1.s390.rpm
rpm -hiv --force --nodpes file.rpm #force it ;-)
rpm -q -a #list all install packages ..
rpm -qa -last |Orders the package listing by install time such that the latest
packages are at the top.
rpm -q -p file.rpm #checks given rpm-files, see version number
rpm -q -p -i file.rpm #see information about given rpm-files
rpm -q -p -l file.rpm #listing of all files belonging to this paket
rpm -q -l file.rpm #see files of installed .rpm file
rpm -q --requires file.rpm #->show's packets/libs that are needed
rpm -q --provides file.rpm #->show's packets/libs that will be installed by this paket
rpm -Va #see missing files #verify ..
rpm -qf /usr/bin/smbmount #find out which package owns it
rpm -Fvh openssh*.rpm #Then, install the package using the following command to apply the update:
rpm -ba foobar-1.0.spec #building a rpm file
rpm -bb foobar-1.0.spec #building only binary rpm
- copy files specified in spec file to /usr/src/packages/BUILD
s390: stored under /usr/src/packages/RPMS/s390/
Use the command 'rpm/rpmbuild -ta dante-<version>.tar.gz' to build all rpm files.
rpm --rebuild src.rpm #make binaray rpm => /usr/src/redhat
#force install of package from other architecture
rpm -iv --force --nodeps --ignorearch freeradius-IBM-bluegroup-1-14.s390.rpm
-> build "noarch" rpm
rpm -bb --target=noarch specfile
if there are more authentication sources defined in a vpn configuration the user is always authenticated against the default authentication source which is normaly the local Firebox-database.
There is the possiblity to specify the authentication source that should be used, be defining the source in front of the user, separated with a \:
radius\username #for radius as authentication source
-------------------
see more on the watchguard website: http://www.watchguard.com/help/docs/wsm/xtm_11/en-us/content/en-us/mvpn/ssl/mvpn_ssl_client-install_c.html
Use a non-default authentication server
In the User name text box, type <authentication server>\<user name>.
Examples:
If RADIUS is the non-default server: radius\j_smith
If the Active Directory server ad1_example.com is the non-default server: ad1_example.com\j_smith
If Firebox-DB is the non-default authentication server: Firebox-DB\j_smith
hostname korenix-4508-testswitch
vlan learning independent
!
vlan 1
!
vlan 99
name not-in-use
!
vlan 11
name vlan11
!
vlan 12
name vlan12
!
vlan 10
name management
!
interface fastethernet1
description vlan11
spanning-tree bpdufilter
switchport access vlan add 11
switchport trunk native vlan 11
!
interface fastethernet2
description vlan11
spanning-tree bpdufilter
switchport access vlan add 11
switchport trunk native vlan 11
!
interface fastethernet3
description vlan11
spanning-tree bpdufilter
switchport access vlan add 11
switchport trunk native vlan 11
!
interface fastethernet4
description not-in-use
spanning-tree bpdufilter
switchport access vlan add 99
switchport trunk native vlan 99
!
interface fastethernet5
description not-in-use
spanning-tree bpdufilter
switchport access vlan add 99
switchport trunk native vlan 99
!
interface fastethernet6
description not-in-use
spanning-tree bpdufilter
switchport access vlan add 99
switchport trunk native vlan 99
!
interface fastethernet7
acceptable frame type vlantaggedonly
description Uplink Trunk
switchport trunk allowed vlan add 10-12,99
!
interface fastethernet8
description management
switchport access vlan add 10
switchport trunk native vlan 10
!
interface lo
ip address 127.0.0.1/8
!
interface vlan1
shutdown
!
interface vlan10
ip address 10.20.30.250/24
no shutdown
!
ip route 0.0.0.0/0 10.20.30.254
!
log syslog local
log syslog remote 10.20.30.10
service http disable
service telnet disable
spanning-tree mst configuration
exit
clock timezone 27
clock set 0:0:0 1 1 2008
administrator admin my-secred-pwd
snmp-server community s4cpub ro
snmp-server host 10.20.30.10 version 2 s4cpub
snmp-server contact "my-contact"
snmp-server location Test-Location
warning-event coldstart
warning-event warmstart
warning-event authentication
warning-event linkdown fa1-8
warning-event linkup fa1-8
warning-event power 1
warning-event ring
warning-event fault-relay
dot1x radius server-ip 192.168.10.10 key radius-key 1812 1813
dot1x system-auth-control
dot1x authentic-method local
dot1x username admin passwd my-secred-pwd vlan 10
ntp peer enable
ntp peer primary 10.20.30.254
!
#########################
# useful commands:
#########################
disp mac-authentiation
disp connection #display online user information
term monitor + terminal debug + debug radius #debug radius
disp mac-authentication interface GigabitEthernet 1/0/1
disp mac-authentiation connection int gigabitEthernet 1/0/1
terminal monitor
terminal debugging
debugging radius all
#########################
# base settings
#########################
mac-authentication
mac-authentication timer offline-detect 28800
mac-authentication domain mynac-mac
radius scheme mynac
primary authentication 192.168.2.99
key authentication cipher $asdfkljasdlfkjasdklfjasdf==
user-name-format without-domain
nas-ip 192.168.2.199
domain mynac-mac
authentication lan-access radius-scheme mynac
authorization lan-access radius-scheme mynac
#pro port
interface GigabitEthernet1/0/1
mac-authentication
mac-authentication max-user 2
mac-authentication re-authenticate server-unreachable keep-online
#remove port from mac authentication
interface GigabitEthernet1/0/1
undo mac-authentication
#remove port from macauthentication
interface range GigabitEthernet 2/0/1 to GigabitEthernet 2/0/48
undo mac-authentication
https://ase.arubanetworks.com/solutions?page=1&page_size=20&order=-modified
- template builder for radius aaa and more
##################################################################
# HPE IMC - using SFTP / SCP to upload firmware
##################################################################
if you need to debug SFTP / SCP process there are log files under
/opt/iMC/server/conf/log/*.log ....
This logs are a bit confusing .. so sometimes it makes sense to have the understand
how the copy process will work manual. Therefore some testing was made. Here comes the result:
-----------------------
prerequisites
-----------------------
To turn on the secury copy feature it is necessary to set "ip ssh filetransfer" on the switch:
using the command show ip ssh, you see the settings:
(config)# show ip ssh
SSH Enabled : Yes Secure Copy Enabled : Yes
TCP Port Number : 22 Timeout (sec) : 120
Host Key Type : RSA Host Key Size : 2048
>> Secury Copy Enabled has to be yes!
------------------------
sftp firmware deploy tests / using manual sftp / psftp / scp commands
------------------------
FIRMWARE located on IMC
firmware that is stored in the ICM software database is located in directory: <IMC directory>/server/data/image,
for example:
windows: c:\program files\iMC\server\data\image
/opt/iMC/server/data/image/YA_16_11_0003.swi
/opt/iMC/server/data/image/YA_15_18_0007.swi
FIRMWARE destionation on HPE / Aruba / procurve switch
the firmware files are under directory:
- /os/primary
- /os/secondary
- copy via sftp by using the psftp command from IMC
lets copy firmware YA_15_18_0007.swi via SFTP to a HPE Aruba 2530 8 Port Switch (J9774A):
#starting in directory: /opt/iMC/server/bin/
/opt/iMC/server/bin/psftp -P 22 admin@10.0.0.99
#once you are logged in change the local data path using command:
psftp> lpwd
Current local directory is /opt/iMC/server/bin
psftp> put ../data/image/YA_16_11_0003.swi /os/secondary
local:../data/image/YA_16_11_0003.swi => remote:/os/secondary
>> file copied successfully
- copy via scp (scp from a linux machine)
scp /opt/iMC/server/data/image/YA_15_18_0007.swi admin@10.0.0.99:/os/secondary
scp /opt/iMC/server/data/image/YA_15_18_0007.swi radiususer1@10.0.0.99:/os/secondary
>> both user local + radius authenticated "radiususer1" worked!!
- copy via IMC pscp command:
/opt/iMC/server/bin/pscp -P 22 /opt/iMC/server/data/image/YA_15_18_0007.swi admin@10.0.0.99:/os/secondary
/opt/iMC/server/bin/pscp -P 22 /opt/iMC/server/data/image/YA_15_18_0007.swi radiususer1@10.0.0.99:/os/secondary
>> both user local + radius authenticated "radiususer1" worked!!
#there are two flags, where you can choose the protocol
-sftp force use of SFTP protocol
-scp force use of SCP protocol
#on switch side, you see in the log:
01/05/90 00:26:47 00637 ssh: scp session from 10.0.0.10
or
I 01/05/90 00:25:17 00636 ssh: sftp session from 10.0.0.10
I 01/05/90 00:26:21 00163 update: Firmware image contains valid signature.
I 01/05/90 00:26:30 00150 update: Secondary Image updated.
##copy from windows
C:\Program Files\iMC\server\bin>pscp.exe -P 22 ..\data\image\YA_16_11_0003.swi radius.user1@10.0.0.99:/os/secondary
radius.user1@10.0.0.99's password:
YA_16_11_0003.swi | 14846 kB | 159.6 kB/s | ETA: 00:00:00 | 100%
# option -scp (speed about 800kbit)
# option -sftp (speed about 150kbit)
- IMC copy command settings:
cat /opt/iMC/server/conf/ssh_sftp_client.cfg
#linux putty
ssh-cmd = plink -P $port [-i $key-file] $user-name@$device-ip
sftp-cmd = psftp -P $port [-i $key-file] $user-name@$device-ip
- After have done some "manual" testing, lets use IMC -> Service > Deployment Task to deploy some switch firmware
to switches
------
- further readings
-------
Execute command in sftp connection through script:
https://unix.stackexchange.com/questions/315050/execute-command-in-sftp-connection-through-script
useful stuff regarding ssh/sftp and hpe switches:
https://www.kagerer.net/category/hp-switch/page/2/
essential information from youtube videos of Airhead Broadcasting channel:
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #1 Wired 802.1X
---------------------------------------------------------------------------------------------------
- see also: HPE Aruba Wired Enforcement Guide
- 802.1x on windows: services > Wired AutoConfig > set to automatic
after service is enabled, an "authentication" tab is visable in the network settings of the interface
>> decide between user or computer authentication
- in clearpass create a network device + a shared secret
- port bounce: interface 1/x/x > shutdown > no shutdown
- in clearpass create a a 802.1X Wired service, choose active directory as authenticaton source
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #2 Wired User Roles
---------------------------------------------------------------------------------------------------
- Rolebased access with local user roles
- best practise enable accounting: aaa accounting port-access start-stop interim 60 group clearpass
- best practise enable client visability:
client track ip #enable on global level
vlan xx
client track ip #enable per vlan
#on uplink port do a: client track ip disable
- in Clearpass Enforcement profile assign a role: for example admin
- create role on switch:
port-access role admin
vlan access name Management VLAN
- check on switch with: show port-access clients
- make username visable > create enforcement profile that reads out the username and sends it back via radius,
than the "show port-access client" will also show the username,
you can make the same with the computername
- Video about Aruba Dynamic Segmentation on AOS-CX: downloadable user roles and more
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #3 Device Profiling
---------------------------------------------------------------------------------------------------
- device profiling: dhcp profiling, ip helper on core switch
- trigger a new dhcp request: Clearpass Access Tracker -> Change Status > choose port bounce
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #4 Wired MAC Authentication
---------------------------------------------------------------------------------------------------
- default setting the switch will first try and timeout for 802.1X before it attempts MAC Authentication,
default timeout is 2 minutes and 30 seconds
>> solution: port-access onboarding-method concurrent enable
- configure the Profiling tab in our service to automatically trigger a port bounce as soon as ClearPass profiles a new or changed device.
- Clearpasss Radius Mac Authentication service
- enable Profile Endpoints
- Authentication Method: Allow All Mac Auth (with All only "known" endpoints are considered)
- Authentication Source: Endpoint Repository (so you can use the profiling information)
- Profiler: Radius CoA Action > AOS-CX Bounce Port, triggered it to "Any category / OS Family / Name",
so if the device is connection the first time it will be bounced, and we know the device type
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #5 Wired MAC Enforcement
---------------------------------------------------------------------------------------------------
allow role based traffice for the endpoint
- define some classes, like: "class ip class-dns", "class ip class-private", "class ip class-pbx"
- bring the classes together to policies:
port-access policy pol-internet
10 class ip class-dhcp
20 class ip class-dns
30 class ip class-private action drop
40 class ip class-any
- port-access role profiler
associate policy pol-profile
vlan access name Untrusted VLAN
- port-access role machine
vlan access name Corporate VLAN
- port-access role voip
associate policy pol-voip
vlan access name Voice VLAN
- in clearpass define roles, and define rolemapping
- in clearpass define enforcement profiles, to return the role names, for example:
Radius:Aruba > Aruba-User-Role(1) = voip
Radius:Aruba > Aruba-User-Role(1) = profiler
- check with "show port-access clients" on switch
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #6 Wired Device behind phone - AP with tagged VLANs
---------------------------------------------------------------------------------------------------
- allow more devices behind a port:
interface 1/1/1-1/1/24
aaa authentication port-access client-limit 3 #default is one
- show client ip
- special role for a accesspoint, the special thing is the "auth-mode":
port-access role instant-ap
vlan trunk native name Management VLAN
vlan trunk allowed name Guest1 VLAN
vlan trunk allowed name Guest2 VLAN
auth-mode device-mode
- auth-mode:
client-mode: authenticate all devices
device-mode: authenticate just the first device
multi-domain: authentication for the native vlan and one for the voice vlan
- check with "show port-access clients" >> Authentication Mode should be seen as "device-mode"
ClearPass certificates - things to consider
- ClearPass Certificates 101 Technote
V1.2: https://support.hpe.com/hpesc/public/docDisplay?docId=a00100345en_us&docLocale=en_US
Radius Service
- use a private CA certificate for RADIUS
- use the same radius certificate on all your ClearPass servers
- subject could be: cn=ClearPass-Radius,ou=IT,O=your organisation,L=your location,ST=BW,C=DE
- Create Certificate Signing Request on first radius server > install the certificate on first radius server.
After installation > export the Radius certificate with the private key and save it to a file.
>> now import the saved file with certificate and private key to all other radius servers
HTTPS Service
- use a public certificate for https (guest + captive portal)
- wildcard or multi-san recommended
- decide to use ECC or not! disable on all subscribers
- subject should be: cn=*.your-org.com
Installation:
- Administration > Certificates > Certificate Store
- HTTPS > ECC + RSA is available, if only a RSA is available disable the ECC certificate!
(why shold you use ECC - faster SSL handshakes - more speed and security)
- Import Certificate, maybe enable the CA Issuer
DNS names:
cppm1.testdomain.de: 10.18.2.100 (virtual ip)
cppm1-pub.testdomain.de: 10.18.2.101 (publisher)
cppm1-sub.testdomain.de: 10.18.2.102 (subscriber 1)
get root certificate for switches:
- DUR - downloadable user roles, root certificate is required on the switch
get the certificate from clearpass server:
http://x.x.x.x/.well-known/aruba/clearpass/https-root.pem
on switch#: crypto pki ta-profile https-root
ta-certificate terminal
........
<ctrl>+D
(you need to leave the ta-profile section)
show certificate:
show crypto pki ta-profile
links:
Aruba ClearPass Workshop (2021) - Getting Started #3 - Installing the HTTPS Certificate on ClearPass
https://www.youtube.com/watch?v=S9J-1JQ1V4Q enable debug:
- debug portaccess role
- debug portaccess dot1x all
- debug portaccess radius
- debug destination buffer
--------------------------------------
view debug
- show debug buffer
--------------------------------------
disable debug:
- no debug portaccess role
- no debug portaccess dot1x all
- no debug portaccess radius
#switch settings (tested on switch type JL258A (2930f) )
-----------------------------------
#a role with only tagged vlan's and port-mode
aaa authorization user-role name "role1"
vlan-id-tagged 10,11,12
device
port-mode
exit
exit
#a role with an untagged vlan and a tagged one
aaa authorization user-role name "role2"
vlan-id 10
vlan-id-tagged 11
exit
#a untrusted role should also be assigned
aaa authorization user-role name "untrusted"
vlan-id 99
exit
aaa authorization user-role initial-role "untrusted"
#Radius Server settings
-------------------------------------------
make sure that the radius server sends back an "accept" and the following attribute:
Radius:Hewplett-Packard-Enterprise HPE-User-Role = <user-role-name>
#hints
---------------------------------------------
- commands: show user-role <user-role-name>
- multiple tagged vlans > supported since ArubaOS 16.08
- multiple vlan tagged name is not supported
- Maximum tagged VLANs that can be associated with a user role is 256. (tested with version: WC.16.10.0010)
- debug on switch: debug security port-access mac-based
- cool video from Herman Robers: https://www.youtube.com/watch?v=0RHGyWFNxjI&feature=youtu.be
sample config on ArubaCX:
port-access role testrole1
auth-mode device-mode
reauth-period 3600
cached-reauth-period 28800
vlan trunk native 1
vlan trunk allowed 1-50
needed Radius attribute:
Radius:Aruba:Aruba-User-Role: testrole1
-----------------------------------------------
- see also:
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=34779
-----------------------------------------------
- good to know:
- bug in version 10.08 + 10.09 !! only 50 vlan's per role permitted! "Failed to associate VLANs to the Role. Maximum of 50 VLANs is allowed"
- according to documentation, 256 vlan's should be permitted!
>> https://www.arubanetworks.com/techdocs/AOS-CX/10.10/HTML/security_4100i-6000-6100/Content/Chp_Port_acc/Port_acc_rol_cmds/vla-por-acc-fl-ml-10.htm If you want to authenticate a device on a switch port using mac authentication or 802.1x authentication using a radius server, you may have the requirement to put the device into more than one vlans - in one untagged vlan and multiple tagged vlans.
the radius server has to return some special attributes back to the switch
>> here comes a sample Enforcement Profile from the HPE Aruba ClearPass Policy manager
>> Type: Radius
>> Action: Accept
Radius:IETF Session-Timeout = 10800
Radius:IETF Termination-Action = RADIUS-Request (1)
Radius:IETF Tunnel-Type = VLAN (13)
Radius:IETF Tunnel-Medium-Type = IEEE-802 (6)
Radius:IETF Tunnel-Private-Group-Id = 10
Radius:Hewlett-Packard-Enterprise HPE-Port-MA-Port-Mode = 1
Radius:Hewlett-Packard-Enterprise HPE-Egress-VLAN-ID = 822083684
Radius:Hewlett-Packard-Enterprise HPE-Egress-VLAN-ID = 822083685
Radius:Hewlett-Packard-Enterprise HPE-Egress-VLAN-ID = 822083686
>> The Attribute Tunnel-Private-Group-Id sets the switch port to vlan 10 untagged
>> the HPE-Egress-VLAN-ID values are looking a bit strange, to get this values you have to calculate them: 0x31<000><VLAN-ID in Hex>, this hex value needs then converted to a decimal value, which we need for the attribute:
-------- value: 822083684 means vlan 100 tagged
-------- value: 822083685 means vlan 101 tagged
-------- value: 822083686 means vlan 102 tagged
>>>>>> use this calculater to get the value for a specific vlan: https://computer2know.de/index.php?site=radius-vlan-hex-value
>> the attribute HPE-Port-MA-Port-Mode makes sense for HPE ArubaOS switches, in case you want to set port mode
Dell Switches N2000 Series (N2024P)
tested with version 6.6.3.17
####################################
# Static Port security
####################################
#How to configure MAC based port security on Dell N2000, N3000, and N4000 series switches.
https://www.dell.com/support/kbdoc/de-de/000121440/how-to-configure-mac-based-port-security-on-dell-n2000-n3000-and-n4000-series-switches?lang=en
#turn on port security on port gi1/0/1 (needs configure mode)
switchport port-security
interface gi1/0/1
> switchport port-security #turn on security
> switchport port-security maximum 5 #define a maxium of 5 mac-addresses on this port
>> now all learned mac-addresses will be removed on interface gi1/0/1 and the port will authenticate them
#add static mac-addresses to an interface
console(config)# mac address-table static abcd.2233.1221 vlan 1 interface gi1/0/1
####################################
# Dynamic / Radius based Port security (mac-authentication)
####################################
console#configure
console(config)#aaa authentication dot1x default radius
console(config)#dot1x system-auth-control #enable 802.1 port-based access
console(config)#authentication enable
console(config)#radius server <radius-server-ip>
console(config)#radius server key <your-radius-key>
console(config)#aaa authorization network default radius #allow the radius server to assign vlans
#enable authentiction on device port
#MAC Authentication Bypass (MAB) >> authenticate using a MAC address as identifier
#using freeradius as authentication servers needs mab authtype pap or chap!!
console(config)#interface gi1/0/1
console(config-if-Gi1/0/1)#authentication port-control auto
console(config-if-Gi1/0/1)#mab
console(config-if-Gi1/0/1)#mab auth-type pap
console(config-if-Gi1/0/1)#switchport mode general
#uplink interface > no authentication on this port
console(config)#interface gigabitethernet 1/0/24
console(config-if-Gi1/0/24)#authentication port-control force-authorized
####################################
# useful show commands
####################################
show authentication statistics gigabitethernet 1/0/1
console(config)#show authentication
console#show authentication clients all
show authentication interface gigabitethernet 1/0/1
show radius statistics
show dot1x users #show authenticated users
show dot1x statistics gigabitethernet 1/0/1
####################################
# Documentation
####################################
https://usermanual.wiki/Dell/DellDellNetworkingN2000SeriesUsersManual136323.1551399830/html#pf42
Name of document:
Dell EMC Networking N-Series N1100-ON, N1500, N2000, N2100-ON, N2200-ON, N3000E-ON, N3100-ON and N3200-ON Switches User’s Configuration Guide Version 6.6.3
page 371: Authentication, Authorization, and Accounting
####################################
useful common dell switch commands:
####################################
#turn on ssh server
console(config)# ip ssh server
#see interfaces
show interfaces status
save settings:
console#copy running-config startup-config
#set user / password with high privileges
console(config)#username admin password adminadmin privilege 15
#privilege 15 means read and write access
#what is the ip address of the switch?
show ip interface
####################################
#log messages
####################################
#after successful mac authentication you should see in the log
<190> Dec 15 14:02:59 172.16.99.20-1 AUTHMGR[authmgrTask]: auth_mgr_sm.c(420) 548 %% INFO Client authorized on port (Gi1/0/1) with VLAN type RADIUS.
###################################
# Sample Configs
###################################
#######
#interface gi1/0/1 with some mac-auth settings
#######
interface Gi1/0/1
switchport mode general
authentication event fail action authorize vlan 200
authentication event no-response action authorize vlan 300
authentication periodic
authentication timer reauthenticate 300
authentication timer restart 60
mab
mab auth-type pap
authentication order mab dot1x
authentication priority mab dot1x
exit
!
interface Gi1/0/24
authentication port-control force-authorized
exit
#######
# Sample config when tested with freeradius server
#######
!Current Configuration:
!System Description "Dell EMC Networking N2024P, 6.6.3.17, Linux 4.14.138, Not Available"
!System Software Version 6.6.3.17
!
configure
vlan 99
exit
vlan 99
name "isolated"
exit
slot 1/0 3 ! Dell EMC Networking N2024P
stack
member 1 2 ! N2024P
exit
interface vlan 1
ip address dhcp
exit
authentication enable
authentication dynamic-vlan enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
radius server key 7 "asdlfjasdlkfjasdklfj"
radius server auth 192.168.2.87
name "Default-RADIUS-Server"
exit
application install SupportAssist auto-restart start-on-boot
!
interface Gi1/0/1
switchport mode general
authentication timer reauthenticate 300
mab auth-type pap
authentication order mab dot1x
authentication priority mab dot1x
exit
!
interface Gi1/0/24
authentication port-control force-authorized
exit
snmp-server engineid local 800002a203fasfasdfasdf
eula-consent hiveagent reject
exit ClearPass certificates
See also documentation from: ClearPass Certificates 101 Technote
V1.2:
https://www.hpe.com/psnow/doc/a00100345en_us
https://support.hpe.com/hpesc/public/docDisplay?docId=a00100345en_us&docLocale=en_US
Radius Service
- use a private CA certificate for RADIUS
- use the same radius certificate on all your ClearPass servers
- subject could be: cn=ClearPass-Radius,ou=IT,O=your organisation,L=your location,ST=BW,C=DE
- Create Certificate Signing Request on first radius server > install the certificate on first radius server.
After installation > export the Radius certificate with the private key and save it to a file.
>> now import the saved file with certificate and private key to all other radius servers
-links:
Aruba ClearPass Workshop - Wireless #2 - Installing the ClearPass RADIUS certificate
https://www.youtube.com/watch?v=G7I2JyF8z7w&list=PLsYGHuNuBZcb0xD05v9zdwv7NlUG_8oJS&index=36 go to the command line of the Aruba virtual controler, and send a test request:
aaa test-server <servername> username <username> password <passwd> auth-type <type>
#see also:
https://www.arubanetworks.com/techdocs/Instant_423_WebHelp/InstantWebHelp.htm#CLI_commands/aaa_test_server.htm Aruba WLAN Mobility Controller - 2 know
documentation:
- ArubaOS 8.10.0.0 User Guide: https://www.arubanetworks.com/techdocs/ArubaOS-8.x-Books/810/ArubaOS-8.10.0.0-User-Guide.pdf
show log security 50 | include aaa
https://www.arubanetworks.com/techdocs/CLI-Bank/Content/aos8/sh-log.htm
tutorials / further readings:
----------------------------------------------
- https://wifiwizardofoz.com/802-1x-wlan-using-aruba-controller-clearpass/
- https://community.arubanetworks.com/discussion/dynamic-vlan-assignment-with-radius-and-aruba-controller
#####################
#1) create user role with only necessary restrictions
#####################
[HPE]role name switchbackup
[HPE-role-switchbackup]rule 1 permit command display current-configuration
[HPE-role-switchbackup]rule 2 permit command display saved-configuration
[HPE-role-switchbackup]rule 3 permit command screen-length disable
#####################
#2) review your created role, by using the following command:
#####################
[HPE]display role name switchbackup
Role: switchbackup
Description:
VLAN policy: permit (default)
Interface policy: permit (default)
VPN instance policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit command display current-configuration
2 permit command display saved-configuration
3 permit command screen-length disable
R:Read W:Write X:Execute
#####################
#3) create the user and assign the user-role switchbackup to it
#####################
[HPE]local-user backup
[HPE-luser-manage-backup]password simple StrongPassword
[HPE-luser-manage-backup]authorization-attribute user-role switchbackup
[HPE-luser-manage-backup]no authorization-attribute user-role network-operator
[HPE-luser-manage-backup]service-type ssh
#####################
#4) review the created user, make sure that there are no other assigned roles than switchbackup
#####################
[HPE]display local-user user-name backup class manage
Total 1 local users matched.
Device management user backup:
State: Active
Service type: SSH
User group: system
Bind attributes:
Authorization attributes:
Work directory: flash:
User role list: switchbackup
Password control configurations:
Password complexity: username checking
#####################
#5) run a ssh login test, maybe you need to change the password once
#####################
login as: backup
backup@192.168.99.10's password:
First login or password reset. For security reason, you need to change your password.
Old password:
#########################################################
# tested with following switch configuration
#########################################################
#
version 7.1.070, Release 3507
#
sysname HPE
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
stp global enable
#
interface NULL0
#
interface Vlan-interface1
ip address dhcp-alloc
#
interface GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/2
#
interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/4
#
interface GigabitEthernet1/0/5
#
interface GigabitEthernet1/0/6
#
interface GigabitEthernet1/0/7
#
interface GigabitEthernet1/0/8
#
interface GigabitEthernet1/0/9
#
interface GigabitEthernet1/0/10
#
interface GigabitEthernet1/0/11
#
interface GigabitEthernet1/0/12
#
interface GigabitEthernet1/0/13
#
interface GigabitEthernet1/0/14
#
interface GigabitEthernet1/0/15
#
interface GigabitEthernet1/0/16
#
interface GigabitEthernet1/0/17
#
interface GigabitEthernet1/0/18
#
interface GigabitEthernet1/0/19
#
interface GigabitEthernet1/0/20
#
interface GigabitEthernet1/0/21
#
interface GigabitEthernet1/0/22
#
interface GigabitEthernet1/0/23
#
interface GigabitEthernet1/0/24
#
interface GigabitEthernet1/0/25
#
interface GigabitEthernet1/0/26
#
interface GigabitEthernet1/0/27
#
interface GigabitEthernet1/0/28
#
interface GigabitEthernet1/0/29
#
interface GigabitEthernet1/0/30
#
interface GigabitEthernet1/0/31
#
interface GigabitEthernet1/0/32
#
interface GigabitEthernet1/0/33
#
interface GigabitEthernet1/0/34
#
interface GigabitEthernet1/0/35
#
interface GigabitEthernet1/0/36
#
interface GigabitEthernet1/0/37
#
interface GigabitEthernet1/0/38
#
interface GigabitEthernet1/0/39
#
interface GigabitEthernet1/0/40
#
interface GigabitEthernet1/0/41
#
interface GigabitEthernet1/0/42
#
interface GigabitEthernet1/0/43
#
interface GigabitEthernet1/0/44
#
interface GigabitEthernet1/0/45
#
interface GigabitEthernet1/0/46
#
interface GigabitEthernet1/0/47
#
interface GigabitEthernet1/0/48
#
interface Ten-GigabitEthernet1/0/49
#
interface Ten-GigabitEthernet1/0/50
#
interface Ten-GigabitEthernet1/0/51
#
interface Ten-GigabitEthernet1/0/52
#
scheduler logfile size 16
#
line class aux
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-operator
#
ssh server enable
#
password-control enable
undo password-control aging enable
undo password-control length enable
undo password-control composition enable
undo password-control history enable
password-control login-attempt 3 exceed unlock
password-control update-interval 0
password-control login idle-time 0
#
radius scheme system
user-name-format without-domain
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
role name switchbackup
rule 1 permit command display current-configuration
rule 2 permit command display saved-configuration
rule 3 permit command screen-length disable
#
user-group system
#
local-user admin class manage
service-type ssh terminal
authorization-attribute user-role network-admin
#
local-user backup class manage
service-type ssh
authorization-attribute user-role switchbackup
#
return
1) let's create 3 new attributes, under Administration > Dictionaries > Dictionary Attributes
Entity = Endpoint: Name = customer_NAS-IP-Adresss (String, Allow Multiple = no )
Entity = Endpoint: Name = customer-NAS-Port (String, Allow Multiple = no )
Entity = Endpoint: Name = customer-NAS-Port-Id (String, Allow Multiple = no )
2) let's create an Enforcement Profile
Enforcement > Profile > new Profile
- Template = ClearPass Entity Update Enforcement
- Name = Customer-Update-NAS-Information-to-Endpoint
- Attributes:
Type=Endpoint, Name=customer_NAS-IP-Adresss, Value=%{Radius:IETF:NAS-IP-Address}
Type=Endpoint, Name=customer-NAS-Port, Value=%{Radius:IETF:NAS-Port}
Type=Endpoint, Name=customer-NAS-Port-Id, Value=%{Radius:IETF:NAS-Port-Id}
3) assign Profile to a policy, add a new rule
Conditions: Data:Date-Time EXISTS >> then: Customer-Update-NAS-Information-to-Endpoint How to configure mac-based port authentication on a Aruba CX switch, and how can you set device mode via radius response?
#######################################################################################
#Aruba CX switch config
###################################
radius-server host radius-server-ip key ciphertext yoursecret...
aaa authentication port-access mac-auth
auth-method pap
enable
#quiet-period <1-65535>
#reauth
#reauth-periond <0-65535>
#turn on mac address authentication on interface 1/1/12
interface 1/1/12
aaa authentication port-access mac-auth
enable
client-limit <number>
#######################################################################################
#######################################################################################
#useful switch commands
#######################################################################################
#reauthenticate a client
port-access reauthenticate interface 1/1/12
#show authentication status
show port-access clients
or
show port-access clients detail
#######################################################################################
#how can you set the client to device mode, let's day the client is an access point with local vlan breakout,
#so that only the access point will be authenticated, and not all the other clients?
#######################################################################################
#>> you need this radius attributes in your radius accept response:
#Radius Attribute for device mode on a switch port
Type: Radius:Aruba
Name: Aruba-Port-Auth-Mode(50)
Value: Infrastructure-Mode (1)
#to support this atributes define the attributes in your radius dictionary:
VENDOR Aruba 14823
BEGIN-VENDOR Aruba
ATTRIBUTE Aruba-Port-Auth-Mode 50 integer
VALUE Aruba-Port-Auth-Mode Infrastructure-Mode 1
VALUE Aruba-Port-Auth-Mode Client-Mode 2
VALUE Aruba-Port-Auth-Mode Multi-Domain-Mode 3
END-VENDOR Aruba
#radius dictonary for aruba can also be found here:
https://github.com/FreeRADIUS/freeradius-server/blob/master/share/dictionary/radius/dictionary.aruba
In the process of 802.1x authentication transactions, such as EAP-PEAP, EAP-TLS, the ClearPass server includes the Radius server certificate in its communication with clients as per the protocol. However, because the certificate's size surpasses the interface MTU (Maximum Transmission Unit), it becomes necessary to fragment it into smaller segments, specifically using EAP-Fragments. The current need is to modify the size of these EAP-Fragments originating from ClearPass.
where to change the setting in clearpass?
Policy Manager>Administration>Server Manager>Server Configurations>Click on server>Service Parameter>Radius server:
EAP-TLS Fragment size :: default ist 1024 bytes
https://support.hpe.com/hpesc/public/docDisplay?docId=sf000094111en_us&docLocale=en_US HPE Aruba > port access > client inactivity timeout problem > for example a printer that sleeps
problem: if you have a device that does not initiate any periodic network traffic, since it sleeps will be forgotten
by the switch, since the default inactivity timer is 5 minutes (300 seconds)
>> you can change this using a local role!
#create a new local role
cx-switch(config)# port-access role printer
cx-switch(config-pa-role)# client-inactivity timeout 4294967295
cx-switch(config-pa-role)# exit
#assign the role to a interface
cx-switch(config)# interface 1/1/16
cx-switch(config-if)# aaa authentication port-access auth-role printer
#sample of a whole interface config, with mac authentication
cx-switch# show running-config interface 1/1/16
interface 1/1/16
no shutdown
no routing
vlan access 14
aaa authentication port-access client-limit 2
aaa authentication port-access reject-role unknown
aaa authentication port-access auth-role printer
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
enable
dhcpv4-snooping trust
dhcpv6-snooping trust
loop-protect
exit
#how to mix the role parameters with radius parameters? >> use aaa authentication port-access radius-override
aaa authentication port-access radius-override enable
Description
Enables or disables radius-override support at the interface context. When radius-override support is enabled, a new RADIUS overridden role is created with a combination of LUR/DUR along with RADIUS attributes for the corresponding client-role attributes such as VLANs, captive portal URL, and downloadable gateway role. When the RADIUS override support is disabled, then only the user-roles get applied to the client.
-----------------------------------
documentation
- https://www.arubanetworks.com/techdocs/AOS-CX/10.11/HTML/security_6200-6300-6400/Content/Chp_Port_acc/Port_acc_gen_cmds/aaa-aut-por-acc-rad-ove.htm Client-inactivity/idle timeout
-----------------------------------------------------
1: Local User Role
6300-VSF(config)# port-access role silent
6300-VSF(config-pa-role)# client-inactivity timeout
<300-4294967295> Set client inactivity timeout value in seconds.
none
2: Radius
Radius:IETF Idle-Timeout = 0
Allow-Flood-Traffic
---------------------------------
>> wol etc ...
6300-VSF(config)# interface 1/1/1
6300-VSF(config-if)# port-access allow-flood-traffic enable
6300-VSF(config-if)# exit
• Caveat
>> Custom Port vlan membership , as the admin must configure the right broadcast/wol server vlan in the silent end client connected ports even before
authentication.
6300-VSF(config)# interface 1/1/1
6300-VSF(config-if)# vlan access <>
6300-VSF(config-if)# exit
Client IP Tracker
----------------------------------
Recommended for Client Types – All client types
6300-VSF(config)# client track ip
6300-VSF(config)# client track ip all-vlans
Or
6300-VSF(config)# vlan 2
6300-VSF(config-vlan-2)# client track ip
6300-VSF(config-vlan-2)# exit
6300-VSF(config)# interface 1/1/1
6300-VSF(config-if)#client track ip update-interval <60-28000s>(Default: 1800)
6300-VSF(config-if)#exit
6300-VSF(config)# show client ip
how the switch tracks the ip?
>>
• After the configured update interval , switch will start sniffing for packets from the client mac-address for 15s.
• If there are no packets received after 15s, it will start the ARP probe – 3 times with each 3s delay
• Client will respond back to arp probe and it will not age out.
################################################################################################
see the original document on:
https://community.arubanetworks.com/discussion/hpe-anw-cx-switches-silent-client-support
document: Silent Client Support – AOS-CX.pdf I) global config:
port-access role client-inactivity
client-inactivity timeout none
port-access role unknown
vlan access 1
II) port config:
interface 1/1/1
no shutdown
no routing
vlan access 2
aaa authentication port-access reject-role unknown
aaa authentication port-access auth-role client-inactivity
aaa authentication port-access radius-override enable
aaa authentication port-access mac-auth
enable
" Since Aruba CX software version 10.12 the device fingerprint information learnt by the switch can be sent as Vendor Specific Attributes (VSA) to ClearPass RADIUS server in RADIUS accounting packets."
>> see the following blog entry:
https://integratingit.wordpress.com/2023/10/31/aruba-cx-device-fingerprinting/
---------------------------------------------------------------------------------------
how to?
1) create a device fingerprint:
client device-fingerprint profile FINGERPRINT-PROFILE
dhcp option-num 55
dhcp options-list
cdp tlv-name capabilities
cdp tlv-name device-id
cdp tlv-num 4
lldp tlv-name system-name
lldp tlv-num 5
lldp tlv-name port-description
lldp tlv-name system-capabilities
2.) enable the fingerprint profile
To enable the device fingerprint profile this can be enabled globally or under specific interfaces using the command client device-fingerprint apply-profile FINGERPRINT-PROFILE
interface 1/1/1
client device-fingerprint apply-profile FINGERPRINT-PROFILE
3.) send the fingerprint information, to clearpass
aaa radius-attribute group CPPM-RADIUS
vsa vendor aruba type avpair group dfp-client-info
4.) verification:
- DEVSWI# show client device-fingerprint active
- DEVSWI# show client device-fingerprint
- on clearpass you should see the fingerprint information under Configuration > Identity > Endpoints
- you can debug the radius flow and should see the attribute information in a Radius Accouting Request (Vendor Specific (VSA) attribute for HPE Aruba solutions for example how to configure radius logon authentication, use this nice page:
- https://ase.arubanetworks.com/
================================================================================
solution example:
Creates a Aruba ClearPass Policy Manager (CPPM) XML files and CLI to enable TACACS+ or RADIUS.
Configuration Notes
This will configure the basic TACACS+ or RADIUS on an ArubaOS switch and generate the ClearPass Policy Manager (CPPM) service, enforcement profile and policy for importing into the ClearPass server
https://ase.arubanetworks.com/solutions/id/126
NTRadPing ist a cool old Radius test utility, that can be downloaded on several places. I just used it - version 1.5 from 2003 on Windows 11 ;-)
if you need to add some new Radius Attributes to the dictonary, here is an example.
dictonary file is: raddict.dat
example of some HP / Aruba specific attributes, just add this lines a the end of the file and restart NTRadPing Test Utility:
ATTRIBUTE Port-MA-Port-Mode 14 integer HP
VENDOR Aruba 14823
ATTRIBUTE Aruba-Port-Auth-Mode 50 integer Aruba #on switch
#configure radius-server
radius-server host <ip or dns>
radius-server key plaintext <shared radius secret>
aaa authentication login default group local radius
aaa accounting all-mgmt default start-stop group radius
aaa authentication allow-fail-through
#on clearpass you need a generic Radius rule and the following profile's:
profile: <customer>_Radius_Switch_Operator + Admin
>> Operator: NAS-Prompt-User (7)
>> Administrator: Administrative-User(6)
#further reading > see hpe security guide, for example search for:
arubaos cx 10.13 security guide links / tutorials:
- https://www.andysblog.de/windows-wireless-lan-802-1x-und-nps if cloud guest is not working, there is probably no connection to the specified cloud Radsec Port TCP 2083.
In the following some useful command to check on a access point console:
- commands to use
show radius-servers
-> here you should see an established session to Radsec port TCP 2083
show radius status
-> here you should see an established session to Radsec port TCP 2083
ping euw1.cloudguest.central.arubanetworks.com
-> check if dns resulution works > if you see an ip
show ap debug radius-statistics
-> check if guest / cloud server is "Up"
show log security
-> see logs regarding radsec
show datapath session
-> you should see an established session to destination port 2083 (Radsec)
show ap debug cloud-connectivity
-> see cloud status
show ap debug cloud-pingpong-stats
ping statistics 744(744)
pong statistics 744(744)
------------------------------------------------
important document!
>> https://www.arubanetworks.com/techdocs/central/2.5.7/content/nms/device-mgmt/communication_ports.htm
------------------------------------------------ ---------------- sample output if you execute the script -------------
./countRadiusLogin.sh
0 radius_auth count=15661 Radius Authentication counts per day (15661)
0 radius_auth_success count=2 Successful Radius Authentication counts per day (2)
0 radius_auth_failed count=15659 Failed Radius Authentication counts per day (15651)
---------------------- script -------------------
#!/bin/bash
logfile='/var/log/radius/radius.log'
month=`date +"%h"`
month=`LC_TIME="en_US.UTF-8" date +"%b"`
day=`date +"%-d"`
if [ $day -lt 10 ]
then
blank=" "
else
blank=""
fi
countAll=`cat $logfile | grep "authentication request for user" | grep "$month $blank$day" |wc -l `
countSuccess=`cat $logfile | grep "Success - User" | grep "$month $blank$day" |wc -l `
countFailed=`cat $logfile | grep "Denied access" | grep "$month $blank$day" |wc -l `
echo "0 radius_auth count=$countAll Radius Authentication counts per day ($countAll)"
echo "0 radius_auth_success count=$countSuccess Successful Radius Authentication counts per day ($countSuccess)"
echo "0 radius_auth_failed count=$countFailed Failed Radius Authentication counts per day ($countFailed)"
sometimes you need a smaller size < 1000 bytes for radius fragmentation (because of udp fragmentation)
##############
aruba cx switches
##############
>> on aruba cx switch you can make the following setting:
aaa authentication port-access dot1x authenticator
eap-tls-fragement towards-server 900
enable
##############
aruba os / former procurve switches
##############
syntax:
aaa port-access authenticator eap-tls-fragment towards-server <max-fragment-size>
- see also: https://arubanetworking.hpe.com/techdocs/AOS-S/16.11/ASG/WC/content/common%20files/cnf-eap-tls-fra-siz.htm?Highlight=eap%20fragment
##############
Aruba Central / Cloud / Wifi
##############
to make the setting on aruba cloud managed access point:
> go to device -> Security
>> under section "Authentication Servers" choose: EAP Fragmentation MTU 900
** if you have fragmenation problems set the MTU < 1024 bytes, or always use 900 bytes ;-) best practice is to use 900 bytes if you have udp fragmentation trouble / don't forget to make the same on Radius side as well:
https://arubanetworking.hpe.com/techdocs/CLI-Bank/Content/aos10/a10-sh-1x-eap-frag-mtu.htm
Description
This command displays the IP MTU to be considered for EAP fragmentation.
(host) [mynode] #show dot1x eap-frag-mtu
Radius profile for tagged vlan on a switch port - RFC 4675 (useful for HPE Clearpass / freeradius)
RFC 4675: RADIUS Attributes for Virtual LAN and Priority Support
Attribute Egress-VLANID:
------------------------
- The Egress-VLANID attribute represents an allowed IEEE 802 Egress
VLANID for this port, indicating if the VLANID is allowed for
tagged or untagged frames as well as the VLANID.
- Type: Radius:IETF, Name: Egress-VLANID
- Value Field: [TAG Indic.| Pad | VLANID]
- The Tag Indication field, one octet long, specifies whether VLAN frames are tagged (0x31) or untagged (0x32),
the Pad field is 12 bits of zeros, and the VLANID is 12 bits containing the IEEE-802.1Q VLAN VID value.
Attribute Egress-VLAN-Name:
---------------------------
- The Egress-VLAN-Name
attribute represents an allowed VLAN for this port. It is similar
to the Egress-VLANID attribute, except that the VLAN-ID itself is
not specified or known; rather, the VLAN name is used to identify
the VLAN within the system.
- Type: Radius:IETF, Name: Egress-VLAN-Name
- Value Field: [TAG Indic.| String]
- The Tag Indication is one byte that shows whether VLAN frames are tagged (0x31, ASCII '1') or untagged (0x32, ASCII '2'), making it easy for users to input,
while the String field, at least one byte long, contains the VLAN name encoded in UTF-8.
========================================================
Examples:
=========
#assign tagged vlan name "wifi", would look like:
Radius:IETF Egress-VLAN-Name = 1wifi
for aruba cx switches you can also use this attribute:
Radius:Hewlett-Packard-Enterprise HPE-Egress-VLAN-Name = 1wifi
========================================================
------
see also:
RFC3580 - assign VLAN via tunnel attributes - https://www.rfc-editor.org/rfc/rfc3580 if you see in freeradius server log file message like that:
Wed Nov 12 09:05:10 2025 : Error: It looks like the client has been updated to protect from the BlastRADIUS attack.
Wed Nov 12 09:05:10 2025 : Error: Please set "require_message_authenticator = true" for client 172.23.99.110
Wed Nov 12 09:05:10 2025 : Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> the solution would be solution, to force the "require_message_authenticator" attribute in the client file, it should look like that:
client 172.23.99.110 {
ipaddr = 172.23.99.110
secret = your shared secret
require_message_authenticator = yes
}
see also:
- https://airheads.hpe.com/blogs/agallnx/2024/12/11/nac-and-blast-radius-what-you-need-to-know
================================================================================
background to BlastRadius attack:
**BlastRADIUS problem:** During high-volume testing, it can overload the RADIUS server, causing many error messages and performance issues.
**Authenticator solution:** Implementing an **authenticator** (like a shared secret or a specific verification step) ensures only legitimate requests are processed, reducing unnecessary load and errors.
**Technical solution:** The fix involves adding a secure verification layer—such as validating request signatures or tokens—before processing, which filters out invalid or malicious requests and stabilizes server performance.
The Message-Authenticator attribute is also an important part of the technical solution.
Technical solution (expanded): According to RFC 3579, the Message-Authenticator attribute (Type 80) is used to ensure the integrity and authenticity of RADIUS messages. Implementing this attribute involves computing a HMAC-MD5 hash over the entire message, including the attribute itself, using the shared secret.
By validating the Message-Authenticator attribute, the server can verify that incoming requests are genuine and unaltered, which helps prevent spoofed or malicious requests from overloading the server. This adds an extra layer of security and reliability, especially during high-volume testing, thereby reducing errors and improving overall stability.
Summary: The combined use of the Message-Authenticator attribute, along with RFC 2865 attributes like NAS-IP-Address or NAS-Identifier, and a shared secret, forms a robust authentication mechanism to mitigate the BlastRADIUS problem during heavy loads.
**When available:** This improvement has been in use since around 2020. +--------------------------------------------------------------+
| Required Open Ports |
+------------------------+----------------+---------------------+
| Port | Protocol | Service/Application |
+------------------------+----------------+---------------------+
| 22 | TCP | SSH (Secure Shell) |
| 123 | UDP | NTP (Time Sync) |
| 443 | TCP | HTTPS |
| 1645 | UDP | RADIUS Auth |
| 1646 | UDP | RADIUS Accounting |
| 1812 | UDP | RADIUS Auth |
| 1813 | UDP | RADIUS Accounting |
| 5432 | TCP | PostgreSQL DB |
| 5433 | TCP | Insight DB & TipsLog|
+------------------------+----------------+---------------------+
To manage or filter network traffic related to the additional ports used by ClearPass Features, you will need to create appropriate firewall rules. Here is a summarized list of those ports, protocols, and services, which you can use to configure your firewall:
---
### ClearPass Additional Ports and Protocols
| Port(s) | Protocol | Service | Used by | Description |
|---------|----------|---------|---------|--------------|
| **443** | TCP | HTTPS | ClearPass UI | Management Station & Guest Portal |
| **22** | TCP | SSH | ClearPass | Secure Shell access |
| **443** | TCP | HTTP (not recommended) | Guest Portal | Can be configured if needed |
| **443** | TCP | HTTPS | Update Service | ClearPass Update Server |
| **443** | TCP | HTTPS | OnGuard Agent | Endpoints |
| **6658** | TCP | (Recommended to be open) | OnGuard to CPPM | Endpoints communication |
| **7432** | TCP | Diagnostics | Cluster Diagnostics | Clusters |
| **3799** | TCP/UDP | RADIUS CoA (RFC3576) | NAS Devices | AAA Services |
| **49** | TCP/UDP | TACACS | NAS Devices | Terminal Access Controller Access-Control System |
| **ICMP** | ICMP | Echo (ping) | Domain Join, AD communication | Between ClearPass and Active Directory |
| **389** | TCP/UDP | LDAP | AD Servers | Directory services |
| **636** | TCP/UDP | LDAP over SSL | AD Servers | Secure LDAP |
| **445** | TCP/UDP | NetLogon | AD Servers | Windows Authentication |
| **49152-65535** | TCP | SMBv2/v3 RPC | AD Servers | High TCP ports for SMB |
| **1025-5000** | TCP | SMBv1 RPC | AD Servers | Low TCP ports for SMB |
| **88** | UDP | Kerberos Authentication | AD Servers | Authentication protocol |
| **464** | TCP | Password Change | AD Servers | Kerberos password change |
| **139** | TCP | AD Auth test from CLI | AD Servers | Diagnostic |
| **161** | UDP | SNMP Read/Write | Endpoints | Management & Monitoring |
| **162** | UDP | SNMP Traps | Endpoints | Alerts & notifications |
| **135** | TCP | WMI Scan | Endpoints | Windows Management Instrumentation |
| **25** | TCP | SMTP | SMTP Servers | Email sending |
| **465** | TCP | SMTP Secure | SMTP Servers | Secured email sending |
| **53** | TCP/UDP | DNS | DNS Servers | Name resolution |
| **67** | UDP | DHCP | Network | DHCP service |
| **2055** | UDP | DHCP Snooper | Network | DHCP monitoring |
| **6343** | UDP | sFlow collector | Network | Traffic sampling |
| **514** | UDP | Ingress Events | Network | Event logging |
| **2083** | TCP | RadSec | Radius | Secure RADIUS communication |
---
### Recommendations:
- Open only the necessary ports based on your environment.
- Use the protocols wisely; for example, prefer UDP for SNMP and DNS, TCP for management and directory services.
- For security, restrict access to these ports to specific IP addresses or networks where applicable.
### see also
https://arubanetworking.hpe.com/techdocs/ClearPass/6.11/PolicyManager/Content/Deploy/About%20ClearPass/Accessing_ClearPass.htm computer2know :: thank you for your visit :: have a nice day :: © 2025