02-19-2017 04:20 AM
I'd like to use Clearpass authenticating users using an external HTTP API.
So it seems possible use a external "http source" as authentication source.
It isn't so well documented, but it seems that fits my needs.
When I try to use this custom source into a Service profile (radius) I've got :
"HTTP type Authentication Source is not supported for RADIUS services"
But if it isn't possible to use a HTTP source for Radius authentication, it seems pretty useless ... 99,99% of authentication comes from controller or VirtualController (Arubanetworks) or other devices that can talk only Radius for authentication.
How can I authenticate users provvisioned into external system that exports REST API?
02-22-2017 01:27 AM
Thank you Tim,
Do you think there's any "workaround" to manage this scenario?
Authentication using external services is becoming a pretty common scenario. Usually all backends are moving from exposing SQL database structure, to a REST/API interface (middleware).
In fact, it seems that Arubanetworks is developing more and more interfaces for external authentication backend (SAML / Okta / etc) but a present time any other customer's "custom" backend is impossible to integrate with.
02-22-2017 04:16 AM
02-22-2017 04:16 AM
02-22-2017 04:43 AM
I agree with you that SAML and OAuth can be a good solution.
They are more secure, standard, well documented...
But IMHO I think that they are acceptable for enterprise authentication (employee) or if you want to interact with external authentication services that are outside your network borders.
I'm talking about a easier use case. A guest captive portal that needs authenticate user on an internal backend, without using Clearpass provisioning workflow.
It this case, I think, that overload that comes from SAML (use bouncing between different page) or OAuth is absolutelly unwanted and unecessary.
I think that it could be problems with Apple CNA or Android CNA.
In any case, I agree with you... Best choice for me is open a RFE, but on latest documentation HTTP is already mentioned as authentication source (not authorization) so I should be better open a Bug fix request ;-)
I'm kidding. ;-)