Security

Client asked an interesting question recently, they register all of their devices in Infoblox and wanted to know can you use Infoblox as an authentication source to check if the MAC address exists? I know we can do an HTTP POST to update username/mac mappings, but can we query if MAC address exists?

Unfortunately it's not possible today as they return nested JSON responses from their API.

Thanks Tim, fair enough, I'll let them know.

Can you have infoblox call a clearpass API when a new device is registered?  We have our IPAM system (Efficient IP) do a call out to Clearpass any time a new MAC address is registered, updated, or deleted, tagging it with a custom attribute in the endpoint database.  This lets us identify devices that are known to IPAM in the Clearpass logic, plus it avoids the extra latency of making a REST call during authentication.

Very interesting, this hasn't been configured yet, so i can propose that option, can you provide more details about the configuration?

 

Thanks.

Sure, happy to!

 

Efficient IP allows you to drop custom code called "rules", which basically define functions that are called as event handlers.  One ours, we have a pair of rules, one that is triggered when a registration is created or updated, and one that is triggered when one is deleted.

 

The create/modify rule, when called, just gathers up information about the registration, most notably hostname and MAC address, and wraps it up into a REST call that gets sent to Clearpass.  It also includes a custom variable, in our case called IPAM-AdminStatus, set to a default value of 'OK'.

 

Later, in role mappings and/or enforcement policies, you can test for the presence of that custom attribute to go down different paths whether or not the device is known.  In our case, we also go one step further and can set it to other values like 'suspended', which indicate to clearpass that it should drop the device in a captive portal VLAN for remediation of some kind.

 

I don't really know InfoBlox well, but obviously you'd need the ability to add those custom event handlers in for this system to be viable.  But if you can, this might be one way to create the linkage between Clearpass and your IPAM system.  It's definitely worked very well for us.

Hi

I have a very similar issue for wired NAC at a customer: CP should check if a MAC-address is in Infoblox or not, and if it is, the client should be set into the vlan set in Infoblox.

I know, that I can export these data from infoblox. Is there a way to automatically import it into ClearPass?

Or is it possible to bring this export file in a form that CP can use it as authentication source.

Do you have any idea how to solve this problem?

 

Thanks a lot,

regards

Michael

Unfortunately I don't really know Infoblox - it would depend on whether or not you can define custom action hooks on it.

 

If you wanted to get really Rube Goldberg, you could always set up an intermediate proxy host.  It could take endpoint status checks from Clearpass at authentication time, and turn around and translate them into the Infoblox API, doing any appropriate data massaging on the way back.  I'm not saying it's a good idea, but it's certainly possible.

Hi,

I'm very interested by this point because we are in the same situation for a customer.

We have CPPM servers and Infoblox appliance for IPAM and it is important for customers to control MAC address and Vlan ID from Infoblox before authorizing client and affect the good IP address.

We apply on the switch port for wired connections 802.1x and mac-auth (MAB) and we didn't want to add static host list for all machines non supplicant 802.1x.

The goal is to simplify the handle of equipments and do not enter information on both products.

My question is if Clearpass exchange integration permit to check like an Active Directory via WAPI or JSON to verify all informations for a user (MAC ADDRESS / VLAN ID / IP ADDRESS) and push vlan id to the port of the switch ?

 

Thanks for your reply.

This will be possible in a future release.

Reading your ask, as I read this you want CPPM to authN the user then have CPPM tell Infoblox its OK to provide an IP address to the user we just authorized.. that piece is already in place.... CPPM as part of the authN will decide based upon the usual authZ context of the user/device combination which VLAN/ACL/dACL/Role is applied.

 

Do I miss something?

Hi,

I just explained again my issue. I mean that customer using actually Infoblox to insert all users entries in database (MAC/IP ADDRESS) necessary for firewall rules (based on IP address).

For each new user this action is realized.

But now we have CPPM for authentication 802.1x and mac-auth and we don't want insert 2 entries in each product.

We looking for a way to check and verify without create a static host list on CPPM in creating a connection to Infoblox (REST API/JSON) to check and verify information like MAC ADDRESS and if that match then you obtain your vland id and your IP ADDRESS.

 

For the moment nothing permit to resolve this issue, may be in future release.

 

Regards.

Yes, as I mentioned, you will be able to do this in a future release.

Hi Tim

Can you already release more information about the time schedule?

Will this feature relased by Q1 2018 already ?

Best regards

 

Reach out to your Aruba account team.

Here you go:

 

https://github.com/aruba/clearpass-exchange-snippets/tree/master/ipam/infoblox-authz

Hi,

Thank you Tim for your answer and your good job.

A real good explanation from your GIT Hub space.

However, we wanna checked also before authenticating user because we using mac auth on switch port, the mac address & IP address to affect the good vlan id.

We changed Authorization Mapping Rules to check attributes like Mac filter but also we want to check the beginning of IP address to determine after that the Vlan ID to affect on switch port.

Is it possible to affect Vlan ID from ClearPass if mac address and for example the beginning of the IP address exist on Infoblox ?

Do you have an idea to solve this issue ?

https://ipam.illinois.edu/wapidoc/objects/macfilteraddress.html

 

Thanks in advance.

Regards.

I'm not fully understanding what you're trying to do, but any information from Infoblox available via the API and found with the MAC address record should be able to be used.

Hi,

I'm sorry for my explanation, please find below captures of CPPM and the API Get request with attribute "mac" to use as authorization.

When user wants to connect on the network, I verify 802.1x certificate and check the availability of MAC address in Infoblox. After that I want to affect the good Vlan ID because all ports are in 802.1x in whole my network switch. Please tell me how is it possible to control mac address and also affect the good vlan id for fixed IP address in different subnet ?  

Thanks in advance.

You can take a look on Outbound API feature which is available starting NIOS 8.0 but I'll recommmend to use NIOS 8.1 or latest NIOS 8.2.2.

Outbound API allows you to trigger a template execution (a json file which implements a workflow) by an event. The template can make REST API calls to 3rd party systems or send notifications over McAfee DXL/OpenDXL fabric.

Right now IPAM events (Add/Modify/Delete of Network, Range, Host, FixedIP/Reservation, Lease) and DNS Security (RPZ hit, Tunneling) are supported.

Vadim

Hi,

I am trying to do something similar and use infoblox as an authentication source where clearpass would lookup the mac address within the IPAM rather than the clearpass enpoint repository ?
Has anyone been able to get anything working

Thanks in advance

------------------------------
David Hurley
------------------------------

Original Message:
Sent: Dec 04, 2017 06:46 PM
From: Vadim Pavlov
Subject: Infoblox as Auth Source for ClearPass?

You can take a look on Outbound API feature which is available starting NIOS 8.0 but I'll recommmend to use NIOS 8.1 or latest NIOS 8.2.2.

Outbound API allows you to trigger a template execution (a json file which implements a workflow) by an event. The template can make REST API calls to 3rd party systems or send notifications over McAfee DXL/OpenDXL fabric.

Right now IPAM events (Add/Modify/Delete of Network, Range, Host, FixedIP/Reservation, Lease) and DNS Security (RPZ hit, Tunneling) are supported.

Vadim

I'm pretty sure its not support to use Infoblox as an AuthN source, just AuthZ source.

------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------

Original Message:
Sent: Apr 01, 2021 05:17 AM
From: David Hurley
Subject: Infoblox as Auth Source for ClearPass?

Hi,

I am trying to do something similar and use infoblox as an authentication source where clearpass would lookup the mac address within the IPAM rather than the clearpass enpoint repository ?
Has anyone been able to get anything working

Thanks in advance

------------------------------
David Hurley

Original Message:
Sent: Dec 04, 2017 06:46 PM
From: Vadim Pavlov
Subject: Infoblox as Auth Source for ClearPass?

You can take a look on Outbound API feature which is available starting NIOS 8.0 but I'll recommmend to use NIOS 8.1 or latest NIOS 8.2.2.

Outbound API allows you to trigger a template execution (a json file which implements a workflow) by an event. The template can make REST API calls to 3rd party systems or send notifications over McAfee DXL/OpenDXL fabric.

Right now IPAM events (Add/Modify/Delete of Network, Range, Host, FixedIP/Reservation, Lease) and DNS Security (RPZ hit, Tunneling) are supported.

Vadim