Security

Reply

Infoblox as Auth Source for ClearPass?

Client asked an interesting question recently, they register all of their devices in Infoblox and wanted to know can you use Infoblox as an authentication source to check if the MAC address exists? I know we can do an HTTP POST to update username/mac mappings, but can we query if MAC address exists?


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Guru Elite

Re: Infoblox as Auth Source for ClearPass?

Unfortunately it's not possible today as they return nested JSON responses from their API.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Infoblox as Auth Source for ClearPass?

Thanks Tim, fair enough, I'll let them know.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Frequent Contributor I

Re: Infoblox as Auth Source for ClearPass?

Can you have infoblox call a clearpass API when a new device is registered?  We have our IPAM system (Efficient IP) do a call out to Clearpass any time a new MAC address is registered, updated, or deleted, tagging it with a custom attribute in the endpoint database.  This lets us identify devices that are known to IPAM in the Clearpass logic, plus it avoids the extra latency of making a REST call during authentication.

Re: Infoblox as Auth Source for ClearPass?

Very interesting, this hasn't been configured yet, so i can propose that option, can you provide more details about the configuration?

 

Thanks.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Frequent Contributor I

Re: Infoblox as Auth Source for ClearPass?

Sure, happy to!

 

Efficient IP allows you to drop custom code called "rules", which basically define functions that are called as event handlers.  One ours, we have a pair of rules, one that is triggered when a registration is created or updated, and one that is triggered when one is deleted.

 

The create/modify rule, when called, just gathers up information about the registration, most notably hostname and MAC address, and wraps it up into a REST call that gets sent to Clearpass.  It also includes a custom variable, in our case called IPAM-AdminStatus, set to a default value of 'OK'.

 

Later, in role mappings and/or enforcement policies, you can test for the presence of that custom attribute to go down different paths whether or not the device is known.  In our case, we also go one step further and can set it to other values like 'suspended', which indicate to clearpass that it should drop the device in a captive portal VLAN for remediation of some kind.

 

I don't really know InfoBlox well, but obviously you'd need the ability to add those custom event handlers in for this system to be viable.  But if you can, this might be one way to create the linkage between Clearpass and your IPAM system.  It's definitely worked very well for us.

New Contributor

Re: Infoblox as Auth Source for ClearPass?

Hi

I have a very similar issue for wired NAC at a customer: CP should check if a MAC-address is in Infoblox or not, and if it is, the client should be set into the vlan set in Infoblox.

I know, that I can export these data from infoblox. Is there a way to automatically import it into ClearPass?

Or is it possible to bring this export file in a form that CP can use it as authentication source.

Do you have any idea how to solve this problem?

 

Thanks a lot,

regards

Michael

Frequent Contributor I

Re: Infoblox as Auth Source for ClearPass?

Unfortunately I don't really know Infoblox - it would depend on whether or not you can define custom action hooks on it.

 

If you wanted to get really Rube Goldberg, you could always set up an intermediate proxy host.  It could take endpoint status checks from Clearpass at authentication time, and turn around and translate them into the Infoblox API, doing any appropriate data massaging on the way back.  I'm not saying it's a good idea, but it's certainly possible.

New Contributor

Re: Infoblox as Auth Source for ClearPass?

Hi,

I'm very interested by this point because we are in the same situation for a customer.

We have CPPM servers and Infoblox appliance for IPAM and it is important for customers to control MAC address and Vlan ID from Infoblox before authorizing client and affect the good IP address.

We apply on the switch port for wired connections 802.1x and mac-auth (MAB) and we didn't want to add static host list for all machines non supplicant 802.1x.

The goal is to simplify the handle of equipments and do not enter information on both products.

My question is if Clearpass exchange integration permit to check like an Active Directory via WAPI or JSON to verify all informations for a user (MAC ADDRESS / VLAN ID / IP ADDRESS) and push vlan id to the port of the switch ?

 

Thanks for your reply.

Guru Elite

Re: Infoblox as Auth Source for ClearPass?

This will be possible in a future release.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: