Security

Reply
MVP

Passing authentication info on to other devices

Hello,

 

Trying to push Clearpass instead of another brand through a proof of concept. "Clearpass is amazing so no problem" I hear you say? :smileyvery-happy:

You would be right, but the competition has one major advantage.

Apparently when a user authenticates on that B-brand device the users authentication status is relayed to a few external devices (i.e. bluecoat proxy) so that the user does not need to log in additionally on those devices. Furthermore bluecoat can apparently use the info to give different permissions to that user.

 

Now I hear Clearpass might support SSO in a future version but we can't wait for that.

Sofar all we've come up with is to drop the different users (groups realy) into different vlans so bluecoat can use the subnet and make decisions that way but that has poor scaleable at best and a plethora of other problems associated with it.

 

So please, who has a trick to relay extra info to that Bluecoat? Doesn't have to be clearpass config.. if we can use bluecoat tricks to do the same that's fine as well.

 

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.

Re: Passing authentication info on to other devices

AFAIK, Clearpass supports SSO today (6.2).  We also support OKTA as well.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP

Re: Passing authentication info on to other devices

Clearpass supports SSO for its own services yes, but does it support SSO with other devices? Point me in the right direction please.

We'd need to capture guest logon credential, classify the user and pass that on to a Bluecoat proxy.

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba

Re: Passing authentication info on to other devices

Correct, ClearPass its self does not act as SSO server. You can use a SSO token to authenticate a user to CPPM or to the network.

There is an integration with palo alto to pass user information, but currently that is the only firewall.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP

Re: Passing authentication info on to other devices

So nobody has anything of the sort implemented? :smileysad:

Guess that OKTA is about the only good sollution then.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
New Contributor

Re: Passing authentication info on to other devices

Is there a solution ?, I am trying to solve this too...

Guru Elite

Re: Passing authentication info on to other devices

What are you trying to integrate with? Does your device have an XML API? 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Passing authentication info on to other devices

Bluecoat Threatpulse Cloud Proxy

Guru Elite

Re: Passing authentication info on to other devices

What does it accept? 

RADIUS accounting? RESTful API? 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Moderator

Re: Passing authentication info on to other devices

When we ship CPPM 6.5 in about 2-3 weeks we will have the ability to proxy/forward radius acounting we receive from the NAS/NAD to a defined target per service definition.

 

We will also be able to add vendor specific VSA's....


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: