topic ISE pxgrid java sample client session_download - struggling as always ;) in Network Access Control

ISE pxgrid java sample client session_download - struggling as always ;)

Michal Garcarz — Fri, 31 Aug 2018 12:23:19 GMT

Hello Team,

I've did it already multiple times and almost always i have to spend hours again to re-learn how to do it correctly.

ISE, just one node, pxgrid certificate generated (as all other ISE node certs) is signed by Microsoft NDES. pxgrid enabled - i have working integration with FMC, WSA - all of that is fine.

Now i have downloaded pxgrid-sdk-2.0.0.14 to run few samples. Configured both jks: self and trusted (and put in self.jks my own client pkcs12 + ca + mnt +pxgrid and put in trusted pxgrid+mnt+ca certs).

Now when running:

root@ubuntu:~/scripts/pxgrid/pxgrid-sdk-2.0.0.14/samples/bin# ./session_download.sh -a 192.168.1.117 -k self1.jks -p Krakow123 -t root1.jks -q Krakow123 -u ise_internal_test
------- properties -------
version=2.0.0.14
hostnames=192.168.1.117
username=ise_internal_test
password=
group=Session
description=null
keystoreFilename=self1.jks
keystorePassword=Krakow123
truststoreFilename=root1.jks
truststorePassword=Krakow123
--------------------------
Connecting...
13:47:53.865 [main] INFO com.cisco.pxgrid.Configuration - Connecting to host 192.168.1.117
13:47:54.394 [main] INFO com.cisco.pxgrid.Configuration - Connected OK to host 192.168.1.117
13:47:54.394 [main] INFO com.cisco.pxgrid.Configuration - Client Login to host 192.168.1.117
Exception in thread "main" com.cisco.pxgrid.GCLException
        at com.cisco.pxgrid.GridConnection.connect(GridConnection.java:210)
        at com.cisco.pxgrid.samples.ise.SampleHelper.connect(SampleHelper.java:231)
        at com.cisco.pxgrid.samples.ise.SessionDownload.main(SessionDownload.java:110)
Caused by: java.lang.NullPointerException
        at com.cisco.pxgrid.internal.smack.CustomSASLExternalMechanism.getAuthenticationText(CustomSASLExternalMechanism.java:50)
        at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)
        at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:190)
        at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:190)
        at org.jivesoftware.smack.tcp.MyXMPPTCPConnection.loginNonAnonymously(MyXMPPTCPConnection.java:355)
        at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java:457)
        at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java:415)
        at com.cisco.pxgrid.Configuration.connect(Configuration.java:344)
        at com.cisco.pxgrid.GridConnection.connect(GridConnection.java:129)
        ... 2 more

In the packet captures i do see connection to node port 5222, SSL session negotiated correctly, Application (encrypted data exchange) in several packets and the the client disconnects. It looks like application issue: xmpp SASL authentication failing because of some reason.

I run all trace debugs for pxgrid* but after 1h of reading of those debugs gave up.

I have also executed:

root@ubuntu:~/scripts/pxgrid/pxgrid-sdk-2.0.0.14/samples/bin# ./create_account.sh -a 192.168.1.117 -k self1.jks -p Krakow123 -t root1.jks -q Krakow123 -u ise_internal_test
------- properties -------
version=2.0.0.14
hostnames=192.168.1.117
username=ise_internal_test
password=
group=Session
description=null
keystoreFilename=self1.jks
keystorePassword=Krakow123
truststoreFilename=root1.jks
truststorePassword=Krakow123
--------------------------
HTTP status=OK
password: AewIrAsP1OnGPgVS

But after this i still do not see ise_internal_test in ISE GUI pxgrid clients (i have autoapproval for password based clients). (i guess that is for password based authentication -> are there any samples showing how to use it ? in REAME this script is not mentioned).

I have also tried this:

root@ubuntu:~/scripts/pxgrid/pxgrid-sdk-2.0.0.14/samples/bin# ./session_subscribe.sh -a 192.168.1.117 -k self1.jks -p Krakow123 -t root1.jk-q Krakow123 -u ise_internal_test -w AewIrAsP1OnGPgVS
------- properties -------
version=2.0.0.14
hostnames=192.168.1.117
username=ise_internal_test
password=AewIrAsP1OnGPgVS
group=Session
description=null
keystoreFilename=self1.jks
keystorePassword=Krakow123
truststoreFilename=root1.jks
truststorePassword=Krakow123
--------------------------
14:13:58.930 [Thread-1] INFO com.cisco.pxgrid.ReconnectionManager - Started
Connecting...
14:13:58.999 [Thread-1] INFO com.cisco.pxgrid.Configuration - Connecting to host 192.168.1.117
14:13:59.762 [Thread-1] INFO com.cisco.pxgrid.Configuration - Connected OK to host 192.168.1.117
14:13:59.762 [Thread-1] INFO com.cisco.pxgrid.Configuration - Client Login to host 192.168.1.117
14:13:59.764 [Thread-1] ERROR com.cisco.pxgrid.ReconnectionManager - Retry connect failed null

Client returns this serious error, application is still running, packet captures show just correct xmpp session:

When the new session arrives on MNT i do not receive anything but just see connection retries.

Any ideas how to make it working ? Why SASL is failing ? Any other well defined restrictions ? Like specific SAN fields in certs ?

I know that i could use self signed certificates to make it simple - but i am not allowed.

Both ise pxgrid and client cert do have right EKU (client+server).

Thanks,

Michal

Re: ISE pxgrid java sample client session_download - struggling as always ;)

hslai — Mon, 03 Sep 2018 00:44:25 GMT

Following Deploying Certificates with Cisco pxGrid - Using External CA with updates to Cisco ISE 2.0/2.1/2.2, I downloaded the same pxgrid-sdk-2.0.0.14-dist.tar.gz from Cisco Platform Exchange Grid (pxGrid) at DevNet, had MS 2008R2 CA to issue both the pxGrid certificate for the SDK sample and the standalone ISE (2.4 w/o or w/ Patch 2), but all (at least those I tried) worked OK for me.

For example,

$ ./session_subscribe.sh -u pxgrid-test-p1 -w hrqzb9azuv09sOut -a 10.1.100.240 -k pxgrid-test.jks -p myKeyPass -t root.jks -q myTrustPass
------- properties -------
version=2.0.0.14
hostnames=10.1.100.240
username=pxgrid-test-p1
password=hrqzb9azuv09sOut
group=Session
description=null
keystoreFilename=pxgrid-test.jks
keystorePassword=myKeyPass
truststoreFilename=root.jks
truststorePassword=myTrustPass
--------------------------
17:29:17.698 [Thread-1] INFO com.cisco.pxgrid.ReconnectionManager - Started
Connecting...
17:29:17.714 [Thread-1] INFO com.cisco.pxgrid.Configuration - Connecting to host 10.1.100.240
17:29:17.851 [Thread-1] INFO com.cisco.pxgrid.Configuration - Connected OK to host 10.1.100.240
17:29:17.851 [Thread-1] INFO com.cisco.pxgrid.Configuration - Client Login to host 10.1.100.240
17:29:17.886 [Thread-1] INFO com.cisco.pxgrid.Configuration - Client Login OK to host 10.1.100.240
17:29:18.730 [Thread-1] INFO c.c.p.i.s.NotificationHandlerSmack - done refreshing connection state.
Connected
Filters (ex. '1.0.0.0/255.0.0.0,1234::/16,...' or <enter> for no filter): 17:29:18.730 [Thread-1] INFO com.cisco.pxgrid.ReconnectionManager - Connected

After I disabled the client in ISE pxGrid page, I got SASLErrorException with a clear message upon re-connect.

17:41:17.150 [Thread-1] INFO com.cisco.pxgrid.Configuration - Client Login to host 10.1.100.240
org.jivesoftware.smack.sasl.SASLErrorException: SASLError using PLAIN: not-authorized
at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:365)
at org.jivesoftware.smack.tcp.MyXMPPTCPConnection$PacketReader.parsePackets(MyXMPPTCPConnection.java:1021)
at org.jivesoftware.smack.tcp.MyXMPPTCPConnection$PacketReader.access$200(MyXMPPTCPConnection.java:925)
at org.jivesoftware.smack.tcp.MyXMPPTCPConnection$PacketReader$1.run(MyXMPPTCPConnection.java:940)
at java.lang.Thread.run(Thread.java:748)

If you are still stuck, you would likely need @jeppich to take a look.

Re: ISE pxgrid java sample client session_download - struggling as always ;)

jeppich — Mon, 03 Sep 2018 00:48:24 GMT

Hey Michal,

Can you try a different version of java on Ubuntu.

The Java Development Kit 7 was required with pxGrid 1.0.x SDK. Please check If you have this installed.

If you do, please try a later version and see if this helps.

Thanks,

John

jeppich@cisco.com

Re: ISE pxgrid java sample client session_download - struggling as always ;)

Michal Garcarz — Mon, 03 Sep 2018 05:58:05 GMT

Hello Team,

Thanks for help here.

@hslai - i use the same version of sdk: 2.0.0.14, certs signed by NDES 2012, comparing your logs to my: i can not even "login" with my pxgrid client, the client does not appear in pxgrid client tab in ISE.

@jeppich - i have tested several versions of java, two openjdk (8,9) and oracle(8):

root@ubuntu:~# update-java-alternatives --list
java-1.8.0-openjdk-amd64       1081       /usr/lib/jvm/java-1.8.0-openjdk-amd64
java-1.9.0-openjdk-amd64       1091       /usr/lib/jvm/java-1.9.0-openjdk-amd64
java-8-oracle                  1081       /usr/lib/jvm/java-8-oracle

And for all 3 versions java errors are exactly the same.

The only big difference is ISE version: i am using 2.3p3.

I am preparing a new environment with 2.4 - will let you know if that works.

Thanks,

Michal