Security

 View Only
  • 1.  Clearpass Extensions

    Posted May 28, 2020 09:44 AM

    A few questions on Clearpass extensions.

     

    1. Can an individual develop these? I can find next to zero documentation on anything extensions related.

     

    2. Are the active extensions documented somewhere?

     

    3. If no to #1. Is there anything on the roadmap to allow users to develop extensions? While the API is great, it is clunky to query something remotely, manipulate the data, then use the API to pull/push the data into Clearpass.



  • 2.  RE: Clearpass Extensions

    Posted May 28, 2020 12:16 PM

    An extension is nothing more than a couple of scripts that call the REST API, packaged together and running on the same box (but isolated). So you can essentially create your own extension running off box and it is nearly the same.

     

    Extensions are just a type of integration method, so I don't believe there's a list of what integrations are specifically Extensions as it's not generally relevant.



  • 3.  RE: Clearpass Extensions

    Posted May 28, 2020 12:26 PM

    Thanks for the info. I plan on submitting this to the innovation zone. I was just hoping for a better understanding. I wish they would allow custom extensions to be added.

     

    Running it off-box is exactly what I want to avoid. I don't want to have a separate box that all it is doing is polling data from one provider to feed it into another provider. Having it run natively on the CPPM appliance is much more streamlined.



  • 4.  RE: Clearpass Extensions

    Posted May 28, 2020 12:29 PM
    AFAIK, there is an active feature request already in the system but there is no ETA that I’m aware of.

    Allowing anyone to essentially load modules that have not gone through any form of validation or testing on a mission critical platform opens up a whole can of worms. Running it off box ensures that a non-validated script/module/plugin cannot directly exhaust CPPM resources which could affect core authentication.


  • 5.  RE: Clearpass Extensions

    Posted May 28, 2020 12:36 PM

    Exactly. I'm suggesting a sort of Extension Store. This would allow Aruba to verify/validate any extensions submitted. 

    I get that this is far shot, I am just hopeful. I think the clever folks over at Aruba could handle the custom Extensions on a priority type service. Meaning, if the extension doesn't exit in X seconds, doesn't return specific error code, etc. It would exit the extension.




  • 6.  RE: Clearpass Extensions

    Posted May 28, 2020 10:49 PM

    From what I can see the extensions just run as docker containers. They are issued an IP address in a special internal-only range. That address is then added as an authentication source. Functionally it looks no different to running an authentication source on some other IP externally. So I agree that we should be able to submit items to the already existing Extensions 'store' in the form of docker images.



  • 7.  RE: Clearpass Extensions

    Posted May 28, 2020 10:55 PM
    The major difference being that an external auth source doesn't consume local CPPM resources for it's own operation. So not really a good comparison.

    Again, you can run your own containers on an existing container host. That is your best short to mid term solution.