WifiHax - Making Networks Excellent
  • Blog
  • Contact

ClearPass: Private Key Import (No password)

23/9/2021

Comments

 
This article covers a very specific case when you are importing a certificate and private key pair where the private key does not have a password. It does not explain the certificate types or use cases, certificate and key-file file formats or detail the intricacies of PKI.

ClearPass requires certificates in order to operate securely (encrypt/decrypt traffic) and identify itself during RADIUS transactions. The most common certificates you would import are RADIUS, HTTPS and RadSec. There are others but these all require a private key.

ClearPass allows you to import the certificate and private key as two separate files (you can also import them as a combined file). 
Picture
It is quite common to receive a private key file that is not protected by a password, whether it be from a public certificate authority or an internal CA service. When you try to import this file pair into ClearPass while leaving the "Private Key Password" field blank you will receive an error:
PicturePrivate Key Password must be specified
The error states that the Private Key Password must be specified. The problem is there isn't one to be entered, so it can be confusing how you may proceed.

You can get around this error by entering anything (I haven't exhaustively tested every possible entry) into the Private Key Password field. 

During my first attempt I used "null", which worked. Then I used "asdf" which also worked. A simple, single character entry also appeared to work fine.
Comments

ClearPass: Preferred phone country codes

22/9/2021

Comments

 
When using phone numbers in ClearPass guest self-registration, the system elevates US and UK to the top of the ​country codes selector by default. This isn't always suitable so you may want to change the country codes that are promoted to the top to be more appropriate for your user base.
Picture
Generally this will come up when you are building a Guest Self-Registration workflow - but it may be relevant for any page which shows a phone number field in a ClearPass form.

It is possible to edit the settings of the most commonly used visitor_phone Base Field. This should result in an update across all Forms which use this Field.
Picture
This can be done from the ClearPass Guest Configuration page.
  1. Go to Pages --> Fields
  2. Select the visitor_phone field (which is close to the bottom of the list when alphabetically sorted)
  3. Click Edit
  4. Scroll down to the Preferred Countries property
  5. Add the appropriate two character country code or codes (multiple country codes can be entered using a comma between each)
  6. Click Save Changes
Picture
Picture
It is possible to edit this field on a per form basis so that portals and pages can have differing preferred country codes. This may be appropriate for ClearPass deployments that cater to global or multi-national use-cases.
Comments

What AP is that? (For Eddie)

12/5/2021

Comments

 
So you've just had a contractor install 173 Access Points! Congrats! But, they haven't taken note of which one is where, nor did you create a table to show them which specific unit belongs in which location. Bummer dude! The problem with not knowing where each AP is is that you can't make finer adjustments of the system and troubleshooting location specific issues can be a nightmare.

There's an app for this problem... Well, maybe an API... 

Aruba Access Points have a function where each Access Point can advertise it's hostname in the beacon. It's still a manual job to go around and find each one with a survey tool or something like Wi-Fi Explorer, but it makes it easier than searching BSSIDs!

To enable this handy feature on an Instant AP (or cluster) you can use the Command Line Interface (CLI). 
Go to the specific WLAN context and use the "advertise-ap-name" command.
config
wlan ssid-profile <SSIDname>
advertise-ap-name
end
wr mem

If you're using Aruba Central then you can't adjust the AP config via CLI. So you can use the API! For this particular feature (as of the date this is published) there is no specifically targeted API. You can use the AP Configuration API called "Replace AP configuration". With this essentially you are replacing the entire CLI for the Group or Swarm within a group. You can retrieve the existing CLI using "Get AP configuration", make your adjustments to include "advertise-ap-name" in the appropriate locations (for one fo the SSID profiles in the configuration) and then push it back to the AP using "Replace AP configuration".

The specific use of the API is outside of the context of this blog post!
Now go find an installer who documents their work!
Comments
<<Previous
Forward>>

    WifiHax

    We build and optimise networks. Continuous learning is our secret to being good. Along the learning journey we will share things here...

    Archives

    May 2021
    June 2020
    December 2019
    September 2019
    August 2019
    July 2019
    April 2019
    November 2018
    October 2018
    September 2018
    January 2018
    October 2017
    September 2017
    August 2017
    June 2017
    April 2017
    February 2017
    November 2016
    September 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015

    Categories

    All
    802.1X
    ACMA
    AirDrop
    API
    Apple
    ARPANSA
    Aruba
    Audit
    Bluetooth
    Capture
    CECV
    ClearPass
    Client
    Conference
    Design
    DNS
    Ekahau
    Exploit
    Frequency
    Health
    IEEE
    Internet
    IoT
    LiFi
    Packets
    Python
    Scripting
    Security
    Spectrum
    Survey
    Switch
    Tools
    Troubleshoot
    VIC
    Vulnerability
    WiFi
    Wireshark
    Zero Day

    RSS Feed

 
​Contact



© COPYRIGHT 2019. ALL RIGHTS RESERVED.

+61 3 9005 2219
proberequest@wifihax.com
  • Blog
  • Contact