Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass External HTTP Source - Authentication

This thread has been viewed 21 times

  • 1.  ClearPass External HTTP Source - Authentication

    Posted Feb 19, 2017 07:21 AM

    Hello,

     

    I'd like to use Clearpass authenticating users using an external HTTP API.

     

    So it seems possible use a external "http source" as authentication source.

    It isn't so well documented, but it seems that fits my needs.

     

    When I try to use this custom source into a Service profile (radius) I've got :


    "HTTP type Authentication Source is not supported for RADIUS services"

     

    But if it isn't possible to use a HTTP source for Radius authentication, it seems pretty useless ... 99,99% of authentication comes from controller or VirtualController (Arubanetworks) or other devices that can talk only Radius for authentication.

     

    How can I authenticate users provvisioned into external system that exports REST API?

     

    Regards



  • 2.  RE: ClearPass External HTTP Source - Authentication

    EMPLOYEE
    Posted Feb 19, 2017 09:54 AM
    It's really an authorization source, not authentication.


  • 3.  RE: ClearPass External HTTP Source - Authentication

    EMPLOYEE
    Posted Feb 19, 2017 09:54 AM
    It's really an authorization source, not authentication.


  • 4.  RE: ClearPass External HTTP Source - Authentication

    Posted Feb 22, 2017 04:27 AM

    Thank you Tim,

     

    Do you think there's any "workaround" to manage this scenario?

     

    Authentication using external services is becoming a pretty common scenario. Usually all backends are moving from exposing SQL database structure, to a REST/API interface (middleware). 

     

    In fact, it seems that Arubanetworks is developing more and more interfaces for external authentication backend (SAML / Okta / etc) but a present time any other customer's "custom" backend is impossible to integrate with.

     

     Regards



  • 5.  RE: ClearPass External HTTP Source - Authentication

    EMPLOYEE
    Posted Feb 22, 2017 07:16 AM
    Most modern authentication is handled via OAuth2 or SAMl, not direct REST calls. Most scenarios we come across leverage REST calls for authorization.

    If you have a specific use case, please submit an RFE.


  • 6.  RE: ClearPass External HTTP Source - Authentication

    EMPLOYEE
    Posted Feb 22, 2017 07:16 AM
    Most modern authentication is handled via OAuth2 or SAMl, not direct REST calls. Most scenarios we come across leverage REST calls for authorization.

    If you have a specific use case, please submit an RFE.


  • 7.  RE: ClearPass External HTTP Source - Authentication

    Posted Feb 22, 2017 07:44 AM

    Hi,

     

    I agree with you that SAML and OAuth can be a good solution.

    They are more secure, standard, well documented...

     

    But IMHO I think that they are acceptable for  enterprise authentication (employee) or if you want to interact with external authentication services that are outside your network borders.

     

    I'm talking about a easier use case.  A guest captive portal that needs authenticate user on an internal backend, without using Clearpass provisioning workflow.

     

    It this case, I think, that overload that comes from SAML (use bouncing between different page) or OAuth is absolutelly unwanted and unecessary.

     

    I think that it could be  problems with Apple CNA or Android CNA.

     

    In any case, I agree with you... Best choice for me is open a RFE, but on latest documentation HTTP is already mentioned as authentication source (not authorization) so I should be better open a Bug fix request ;-)

     

    I'm kidding. ;-)