Security

last person joined: 23 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Crowdstrike API HTTP

This thread has been viewed 20 times
  • 1.  Clearpass Crowdstrike API HTTP

    Posted Oct 19, 2021 01:58 AM
    Hi All,
    I need some assistance in ClearPass and Crowdstrike API integration. I have configured ClearPass settings as per the tech notes released by Danny last year.  Clearpass started giving  HTTP error. I noticed the same error was reported by another client but there is no solution on airheads.


    https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=239414

    Troubleshooting Steps performed. 

    Tried disable SSL certificate - i.e. False
    Tried adding Bypass Proxy in the configuration - No luck
    Tried restarting extension service 

    Below are the errors seeing on ClearPass
    2021-10-19T16:01:00.104] [INFO] CrowdStrike - Getting next page of devices...
    [2021-10-19T16:01:00.104] [ERROR] CrowdStrike - Protocol "http:" not supported. Expected "https:"
    [2021-10-19T16:01:00.105] [ERROR] CrowdStrike - Protocol "http:" not supported. Expected "https:"


    ------------------------------
    Varun Sharma
    ------------------------------


  • 2.  RE: Clearpass Crowdstrike API HTTP

    Posted Oct 19, 2021 08:04 AM
    I'm guessing this is the extension passing the error and not the endpoint context server action. 

    The Crowdstrike extension is set to verify the SSL certs and shown in the config. If it is verifying the certificate of api.crowdstrike.com against CPPMs built in trust store (I have no idea if this is the case or not, sorry) then it may be that the appropriate certificates don't exist or are not trusted:

    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
    verify return:1
    depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
    verify return:1
    depth=0 C = US, ST = California, L = Irvine, O = "CrowdStrike, Inc.", CN = api.crowdstrike.com
    verify return:1

    I checked my CPPM (6.10.2) and noted that the Digicert High Assurance EV was disabled. I don't seem to have the DigiCert SHA2 High Assurance Server CA certificate in the trust store but that should be OK. Maybe try enabling the root CA certificate and check again if that makes a difference?
    Digicert High Assurance EV Root CA



  • 3.  RE: Clearpass Crowdstrike API HTTP

    Posted Oct 19, 2021 06:48 PM
    Hi Matt,
    Thank you for replying to my message. I enabled Digicert Root and High Assuranace CA certificates but still don't see any change. I have got the same error still . Could you please share with me your setting on 6.10 what you have configured. I am not looking for an upgrade from 6.9.7 to 6.10 soon.
    Please see some captures below



    Thanks
    Varun

    ------------------------------
    Varun Sharma
    ------------------------------



  • 4.  RE: Clearpass Crowdstrike API HTTP

    Posted Oct 20, 2021 10:29 AM
    Has this worked for you before? I see you have a TAC case open, they should be able to troubleshoot as from this above it is hard to tell. I couldn't find other TAC cases around the same message.

    If you feel there is not enough progress on that case, feel free to request an escalation.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Clearpass Crowdstrike API HTTP

    Posted Oct 20, 2021 06:22 PM
    Hi Herman,

    Thank you for replying to my thread!!

    Mate, this is first time i am trying it on one of my 8 nodes cluster for Wired dot1x. One thing to notice is on the same sever i have Microsoft Intune, SPLUNK  API are running fine but not CrowdStrike.
    Yes, I have raised one TAC case few days ago but still no luck in fetching endpoint information via API. Today, I added Bypass proxy =true in the configuration and restarted extension service but i have the same error.




    ------------------------------
    Varun Sharma
    ------------------------------