Security

Reply
MVP

Questions about Authentication Source - "HTTP" and "Generic SQL DB"

Hello!

 

I'm in the process of implementing a different authentication source than the normal local or AD for Clearpass. In the context I'm considering either http or SQL, but I can't find any documentation on how this is done.

 

Do any of you guys have experience implementing such auth sources and can explain what you did and how you got it working?

 

SQL..

I have a MS SQL database with a stored procedure that when executed gives a responsecode. The basic input would be an accesscode, and the responcode would be typically either 01, 02 or 03. The authentication is based upon these codes, and I also need to inform the user during login with some information based on the codes (01 being plain success, 02 being wrong code, 03 being expired code).

 

I have looked at the internal sql auth sources, but I haven't had much success "reverse engineering" them :(

 

http. It would be even better than having sql if this would work. I'm thinking this could be just triggering an URL and interpret the result, but without any documentation I'm at a loss on how to do this. 

 

Any info and/or assistance would be greatly appreciated.


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Super Contributor II

Re: Questions about Authentication Source - "HTTP" and "Generic SQL DB"

I can't help in anyway as this is pretty over my head.

But if you manage to figure this out I would be interested in hearing how you pulled it off!

MVP

Re: Questions about Authentication Source - "HTTP" and "Generic SQL DB"

 

Finally got this one working after a few sessions with Chandrakanth from Clearpass TAC.

 

I went with SQL, but this is also doable using http as long as the resultset is JSON formatted.

 

Common for either authentication sources is this:

 

  • The success result has to contain a field called "User_Password". If this field is missing it's an automatic reject
  • Of course - the password you're sending with your loginform also have to match the value of this field to be authenticated.
  • All other fields you add to your resultset can be used as further authorization attributes.

 

Other than that - it's basic clearpass config.

 

Now Aruba Clearpass guys - please update your documentation with that little snippet of valuable information and save us the trip to TAC ;)

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: