Security

Reply
Super Contributor I
Posts: 294
Registered: ‎02-07-2013

clearpass Authorization using SOAP

I notice that ClearPass Guest has the abiltiy to access external SOAP based services. Our primary IPAM system can either be accessed via a SOAP interface or by directly accessing the back end MSSQL database. Up till now I've created some simple Authentication sources accessing the MSSQL database directly. However,there's some authorization information I need to access that looks as if is only accessible via their SOAP api. If ClearPass supported stored procedures it might be doable in SQL but I'm guessing that it would be a nightmare to do it with the available SQL interface.

 

Is it possible to create a ClearPass policy manager authentication source that uses SOAP to access an external service?

 

Rgds

Alex

 

Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: clearpass Authorization using SOAP

What IPAM product is it and what type of information are you trying to retrieve?


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor I
Posts: 294
Registered: ‎02-07-2013

Re: clearpass Authorization using SOAP

System is called Men & Mice (https://www.menandmice.com)

We keep track of all devices on our network through it, all vlans and ip address assignments for each interface on a device.

While I can use SQL to pul back the hostname, and IP address of a device, what I also need to do is get hold of the vlan name/numeric value associated with the assigned IP address. I can then send this value back in the Access-Accept packetas a Tunnelled Private Group id attribute.

From the M&M tech support .....
:"To get the vlan the IP is associated to, you need to query the mm_ipamranges table, but first you need to convert the IP to its hex/IPv6 representation, then compare that with the from and to columns in the mm_ipamranges table. This will give you multiple ranges so you need to either sort by to-from difference and use only the first value, or manually find the narrowest range.

Using the SOAP is a much better option, because this is kept in memory in Central, and you only need a single command to get the appropriate Range. I therefore recommend you implement SOAP into your application, because it would both be simpler and perform better. Otherwise, there is no option other than go through the exercise above directly in SQL.
"
Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: clearpass Authorization using SOAP

Hm. I've never done it but there is an HTTP authentication source you could try using.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: