Security

Reply
MVP
Posts: 765
Registered: ‎03-25-2009

Passing authentication info on to other devices

[ Edited ]

Hello,

 

Trying to push Clearpass instead of another brand through a proof of concept. "Clearpass is amazing so no problem" I hear you say? :smileyvery-happy:

You would be right, but the competition has one major advantage.

Apparently when a user authenticates on that B-brand device the users authentication status is relayed to a few external devices (i.e. bluecoat proxy) so that the user does not need to log in additionally on those devices. Furthermore bluecoat can apparently use the info to give different permissions to that user.

 

Now I hear Clearpass might support SSO in a future version but we can't wait for that.

Sofar all we've come up with is to drop the different users (groups realy) into different vlans so bluecoat can use the subnet and make decisions that way but that has poor scaleable at best and a plethora of other problems associated with it.

 

So please, who has a trick to relay extra info to that Bluecoat? Doesn't have to be clearpass config.. if we can use bluecoat tricks to do the same that's fine as well.

 

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Passing authentication info on to other devices

AFAIK, Clearpass supports SSO today (6.2).  We also support OKTA as well.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 765
Registered: ‎03-25-2009

Re: Passing authentication info on to other devices

Clearpass supports SSO for its own services yes, but does it support SSO with other devices? Point me in the right direction please.

We'd need to capture guest logon credential, classify the user and pass that on to a Bluecoat proxy.

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Passing authentication info on to other devices

Correct, ClearPass its self does not act as SSO server. You can use a SSO token to authenticate a user to CPPM or to the network.

There is an integration with palo alto to pass user information, but currently that is the only firewall.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 765
Registered: ‎03-25-2009

Re: Passing authentication info on to other devices

So nobody has anything of the sort implemented? :smileysad:

Guess that OKTA is about the only good sollution then.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
New Contributor
Posts: 2
Registered: ‎02-07-2015

Re: Passing authentication info on to other devices

Is there a solution ?, I am trying to solve this too...

Guru Elite
Posts: 8,464
Registered: ‎09-08-2010

Re: Passing authentication info on to other devices

What are you trying to integrate with? Does your device have an XML API? 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 2
Registered: ‎02-07-2015

Re: Passing authentication info on to other devices

Bluecoat Threatpulse Cloud Proxy

Guru Elite
Posts: 8,464
Registered: ‎09-08-2010

Re: Passing authentication info on to other devices

What does it accept? 

RADIUS accounting? RESTful API? 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Moderator
Posts: 488
Registered: ‎11-09-2012

Re: Passing authentication info on to other devices

When we ship CPPM 6.5 in about 2-3 weeks we will have the ability to proxy/forward radius acounting we receive from the NAS/NAD to a defined target per service definition.

 

We will also be able to add vendor specific VSA's....


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: