Security

Reply
Occasional Contributor II
Posts: 11
Registered: ‎05-15-2014

Rapid Updates and Endpoint Repository Caching Issue?

Environment:  ClearPass 6.5.x appliances ; EfficientIP (IPAM) Appliances ; Ruckus CloudPath for onboarding.

 

Scenario:  

We encourage users who have never used our network before to connect to the WPI-Wireless-Setup SSID.  In the background this creates a CPPM EndPoint for the device - it sets a default IPAM-AdminStatus attribute to Unknown.  

 

The user is herded to the CloudPath server which does all the certificate providioning and device configuring for our EAP-TLS network.  At the same time, CloudPath sends a URL request to EfficientIP.

 

EfficientIP takes this URL request and creates an entry in our IPAM.  EfficientIP marks the entry as IPM-AdminStatus OK.  This triggers a rule which accesses the CPPM EndPoint database via the XML-RPC API and changes the IPAM-AdminStatus from Unknown to OK.

 

CloudPath has now finished and has the device disconnect from the WPI-Wireless-Setup ssid and connect to WPI-Wireless.  When the device connects, ClearPass runs through an "Aruba 802.1X Wireless" service.  The Enforcement "Use Cached Results" is disabled.  One thing this service does is check the value of IPAM-AdminStatus and either returns a VLAN of QuickReg (which for us means that the device is unknown) or returns no VLAN and relies on the default VLAN of the SSID as set on the controller.

 

Issue:

This process works flawlessly *if* the transition from WPI-Wireless-Setup to WPI-Wireless is more than 5 minutes.

 

If the transition takes seconds (like it's supposed to), CPPM believes that the IPAM-AdminStatus value is still Unknown and puts the device on the QuickReg VLAN.

 

Solution?

We believe that this is due to the Cache Timeout on the Endpoint Repository.  A similar problem was reported in http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Authorization-Attributes-and-Policy-Evaluation-Cache/td-p/252031

Questions:

a) What is the risk of lowering the Cache Timeout on the Endpoint Repository?  How low can it be?  How low *should* it be?

b) Is there an API call (XML-RPC, SOAP or REST) which will clear the Cache for a single Endpoint?  This could be applied to our EfficientIP to ClearPass integration to ensure that the most up to date information is available to the CPPM Service.

c) Is there another caching mechanism we should be looking at reducing to solve this issue?

 

Thanks!

Benjamin J. Higgins (’97)
Worcester Polytechnic Institute
Search Airheads
Showing results for 
Search instead for 
Did you mean: