Security

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 30, 2024 03:21 AM
From: Ha Tran
Subject: ClearPass Policy Manager integrate with Checkpoint Firewall

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Original Message:
Sent: May 30, 2024 02:50 AM
From: Herman Robers
Subject: ClearPass Policy Manager integrate with Checkpoint Firewall

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 29, 2024 10:29 PM
From: Ha Tran
Subject: ClearPass Policy Manager integrate with Checkpoint Firewall

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

update for my issue, Currently, we have resolved the issue for ClearPass to automatically send an API to Checkpoint. However, we are encountering an issue with the content that ClearPass sends. ClearPass is unable to retrieve the IP address value of the endpoint to include in the content, as shown in the Wireshark message below.

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

ClearPass will need to know/learn the client IP address through (RADIUS) Accounting. Do you see in Access Tracker an Accounting tab? Does it show the client's IP address there?

RADIUS Accounting needs to be enabled on your switch/ap/controller;

In ClearPass make sure that 'Log Interim-Accounting' is enabled as well to process accounting updates and not only the start-stop.

If you see %{ip} that means that there is no IP information for that client.

update for my issue, Currently, we have resolved the issue for ClearPass to automatically send an API to Checkpoint. However, we are encountering an issue with the content that ClearPass sends. ClearPass is unable to retrieve the IP address value of the endpoint to include in the content, as shown in the Wireshark message below.

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

I have worked with Aruba TAC and there is no way for HTTP Based Enforcement to encapsulate User information during the Authentication process to send to CheckPoint. Therefore, I must revert to the option of using the Session Notification Enforcement profile with RADIUS Accounting. 

So currently, I am confused about integrating with the Radius Server. How do I connect ClearPass and Checkpoint Firewall with Radius? How do I configure ClearPass? How can there be an accounting service when a User logs in to OnGuard? Please help me :) 

ClearPass will need to know/learn the client IP address through (RADIUS) Accounting. Do you see in Access Tracker an Accounting tab? Does it show the client's IP address there?

RADIUS Accounting needs to be enabled on your switch/ap/controller;

In ClearPass make sure that 'Log Interim-Accounting' is enabled as well to process accounting updates and not only the start-stop.

If you see %{ip} that means that there is no IP information for that client.

update for my issue, Currently, we have resolved the issue for ClearPass to automatically send an API to Checkpoint. However, we are encountering an issue with the content that ClearPass sends. ClearPass is unable to retrieve the IP address value of the endpoint to include in the content, as shown in the Wireshark message below.

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

I wish TAC support wasn't so bad....  Aruba is really going to die off at this point.

Use this:

{
   "Shared-secret": "",
   "user": "%{Radius:IETF:User-Name}",
   "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
}

You need to add that Attribute (IP Address) to the Endpoints Repository:
CPPM -> Configuration -> Authentication -> Sources -> Authentication Sources - [Endpoints Repository]

Attributes -> Add More Filters:
Filter Name: IP Address
Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
Name: ip
Alias Name: IP Address
Data Type: String
Enabled As: Attribute

Let me know if this works for you or not.

I have worked with Aruba TAC and there is no way for HTTP Based Enforcement to encapsulate User information during the Authentication process to send to CheckPoint. Therefore, I must revert to the option of using the Session Notification Enforcement profile with RADIUS Accounting. 

So currently, I am confused about integrating with the Radius Server. How do I connect ClearPass and Checkpoint Firewall with Radius? How do I configure ClearPass? How can there be an accounting service when a User logs in to OnGuard? Please help me :) 

ClearPass will need to know/learn the client IP address through (RADIUS) Accounting. Do you see in Access Tracker an Accounting tab? Does it show the client's IP address there?

RADIUS Accounting needs to be enabled on your switch/ap/controller;

In ClearPass make sure that 'Log Interim-Accounting' is enabled as well to process accounting updates and not only the start-stop.

If you see %{ip} that means that there is no IP information for that client.

update for my issue, Currently, we have resolved the issue for ClearPass to automatically send an API to Checkpoint. However, we are encountering an issue with the content that ClearPass sends. ClearPass is unable to retrieve the IP address value of the endpoint to include in the content, as shown in the Wireshark message below.

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

Hi, thank for your feedback. I have tried according to your suggestion: 

My configure: 

At Endpoint Repository

And at Context Server Actions 

Result: Failed - when i tried to manual send by Server Actions at Access Tracker i got error 500: Internal Error 

Kindly help me with this issue, tks! 

I wish TAC support wasn't so bad....  Aruba is really going to die off at this point.

Use this:

{
   "Shared-secret": "",
   "user": "%{Radius:IETF:User-Name}",
   "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
}

You need to add that Attribute (IP Address) to the Endpoints Repository:
CPPM -> Configuration -> Authentication -> Sources -> Authentication Sources - [Endpoints Repository]

Attributes -> Add More Filters:
Filter Name: IP Address
Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
Name: ip
Alias Name: IP Address
Data Type: String
Enabled As: Attribute

Let me know if this works for you or not.

I have worked with Aruba TAC and there is no way for HTTP Based Enforcement to encapsulate User information during the Authentication process to send to CheckPoint. Therefore, I must revert to the option of using the Session Notification Enforcement profile with RADIUS Accounting. 

So currently, I am confused about integrating with the Radius Server. How do I connect ClearPass and Checkpoint Firewall with Radius? How do I configure ClearPass? How can there be an accounting service when a User logs in to OnGuard? Please help me :) 

ClearPass will need to know/learn the client IP address through (RADIUS) Accounting. Do you see in Access Tracker an Accounting tab? Does it show the client's IP address there?

RADIUS Accounting needs to be enabled on your switch/ap/controller;

In ClearPass make sure that 'Log Interim-Accounting' is enabled as well to process accounting updates and not only the start-stop.

If you see %{ip} that means that there is no IP information for that client.

update for my issue, Currently, we have resolved the issue for ClearPass to automatically send an API to Checkpoint. However, we are encountering an issue with the content that ClearPass sends. ClearPass is unable to retrieve the IP address value of the endpoint to include in the content, as shown in the Wireshark message below.

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

Can you show me:
1. The logs of the RADIUS attempt from the Access Tracker.  I am looking for " INFO Core.PETaskPostAuthEnfProfileBuilder - sendPostAuthHTTPRequest: Sending PostAuthEnfRequest {"content" 

2. The Authorization Attributes from the tracker log.

3. The Endpoint Context Server config for the checkpoint - the config for all tabs.

4. The Context Server Actions - config for all tabs

5. Your Post-Authentication profile - the first page of that will give me all the details.

Question:
What version/firmware is your checkpoint running?

Other thing to try:
You can use postman to run the JSON directly against the checkpoint to test what you need to run for this to work.  If you do not know how to do this, I can walk you through it at a later point after we check the CPPM config.

Hi, thank for your feedback. I have tried according to your suggestion: 

My configure: 

At Endpoint Repository

And at Context Server Actions 

Result: Failed - when i tried to manual send by Server Actions at Access Tracker i got error 500: Internal Error 

Kindly help me with this issue, tks! 

I wish TAC support wasn't so bad....  Aruba is really going to die off at this point.

Use this:

{
   "Shared-secret": "",
   "user": "%{Radius:IETF:User-Name}",
   "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
}

You need to add that Attribute (IP Address) to the Endpoints Repository:
CPPM -> Configuration -> Authentication -> Sources -> Authentication Sources - [Endpoints Repository]

Attributes -> Add More Filters:
Filter Name: IP Address
Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
Name: ip
Alias Name: IP Address
Data Type: String
Enabled As: Attribute

Let me know if this works for you or not.

I have worked with Aruba TAC and there is no way for HTTP Based Enforcement to encapsulate User information during the Authentication process to send to CheckPoint. Therefore, I must revert to the option of using the Session Notification Enforcement profile with RADIUS Accounting. 

So currently, I am confused about integrating with the Radius Server. How do I connect ClearPass and Checkpoint Firewall with Radius? How do I configure ClearPass? How can there be an accounting service when a User logs in to OnGuard? Please help me :) 

ClearPass will need to know/learn the client IP address through (RADIUS) Accounting. Do you see in Access Tracker an Accounting tab? Does it show the client's IP address there?

RADIUS Accounting needs to be enabled on your switch/ap/controller;

In ClearPass make sure that 'Log Interim-Accounting' is enabled as well to process accounting updates and not only the start-stop.

If you see %{ip} that means that there is no IP information for that client.

update for my issue, Currently, we have resolved the issue for ClearPass to automatically send an API to Checkpoint. However, we are encountering an issue with the content that ClearPass sends. ClearPass is unable to retrieve the IP address value of the endpoint to include in the content, as shown in the Wireshark message below.

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

Tk for your feedback, 1st of all, we're not connecting CPPM to RADIUS server cus it's not in our Network so we're trying to use HTTP Based Enforcement Profile to trigger send API to Checkpoint. So at Access Tracker, we can see on Output --> RADIUS response mapping with Application Response below 

My  Endpoint Context Server config 

Context Server Actions config  

Post-Authentication profile 

We're using Checkpoint Firewall version R81.20 for lab. From Access Tracker --> Server Actions i can run the JSON test and sent API successfuly to CheckPoint belows: 

So, the issue here is whether, in the case that I cannot integrate the Radius Server, there is a way for CPPM to retrieve the login parameters of the OnGuard user and send them to CheckPoint. If so, please guide me on how to do this. Thank you! 

Can you show me:
1. The logs of the RADIUS attempt from the Access Tracker.  I am looking for " INFO Core.PETaskPostAuthEnfProfileBuilder - sendPostAuthHTTPRequest: Sending PostAuthEnfRequest {"content" 

2. The Authorization Attributes from the tracker log.

3. The Endpoint Context Server config for the checkpoint - the config for all tabs.

4. The Context Server Actions - config for all tabs

5. Your Post-Authentication profile - the first page of that will give me all the details.

Question:
What version/firmware is your checkpoint running?

Other thing to try:
You can use postman to run the JSON directly against the checkpoint to test what you need to run for this to work.  If you do not know how to do this, I can walk you through it at a later point after we check the CPPM config.

Hi, thank for your feedback. I have tried according to your suggestion: 

My configure: 

At Endpoint Repository

And at Context Server Actions 

Result: Failed - when i tried to manual send by Server Actions at Access Tracker i got error 500: Internal Error 

Kindly help me with this issue, tks! 

I wish TAC support wasn't so bad....  Aruba is really going to die off at this point.

Use this:

{
   "Shared-secret": "",
   "user": "%{Radius:IETF:User-Name}",
   "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
}

You need to add that Attribute (IP Address) to the Endpoints Repository:
CPPM -> Configuration -> Authentication -> Sources -> Authentication Sources - [Endpoints Repository]

Attributes -> Add More Filters:
Filter Name: IP Address
Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
Name: ip
Alias Name: IP Address
Data Type: String
Enabled As: Attribute

Let me know if this works for you or not.

I have worked with Aruba TAC and there is no way for HTTP Based Enforcement to encapsulate User information during the Authentication process to send to CheckPoint. Therefore, I must revert to the option of using the Session Notification Enforcement profile with RADIUS Accounting. 

So currently, I am confused about integrating with the Radius Server. How do I connect ClearPass and Checkpoint Firewall with Radius? How do I configure ClearPass? How can there be an accounting service when a User logs in to OnGuard? Please help me :) 

ClearPass will need to know/learn the client IP address through (RADIUS) Accounting. Do you see in Access Tracker an Accounting tab? Does it show the client's IP address there?

RADIUS Accounting needs to be enabled on your switch/ap/controller;

In ClearPass make sure that 'Log Interim-Accounting' is enabled as well to process accounting updates and not only the start-stop.

If you see %{ip} that means that there is no IP information for that client.

update for my issue, Currently, we have resolved the issue for ClearPass to automatically send an API to Checkpoint. However, we are encountering an issue with the content that ClearPass sends. ClearPass is unable to retrieve the IP address value of the endpoint to include in the content, as shown in the Wireshark message below.

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

Sorry - I misunderstood your setup and thought this was radius.

Lets try this:
Change your JOSN so that the IP address is manually set.  This will let us know if the issue is just the %{ip} not getting resolved.  If the manual IP address works then we need to figure out a variable that we can pass that will resolve.

change this:
"ip-address": "%{ip}"
to 
"ip-address": "192.168.31.174"

If manually setting the IP address in the JOSN works then I will need to see the details of the input tab so that I can see what data has the IP address of the client.  I do not use OnGuard so I do not know what the tracker normally looks like for onguard.

We just need to find the right variable to send to your JSON.

Tk for your feedback, 1st of all, we're not connecting CPPM to RADIUS server cus it's not in our Network so we're trying to use HTTP Based Enforcement Profile to trigger send API to Checkpoint. So at Access Tracker, we can see on Output --> RADIUS response mapping with Application Response below 

My  Endpoint Context Server config 

Context Server Actions config  

Post-Authentication profile 

We're using Checkpoint Firewall version R81.20 for lab. From Access Tracker --> Server Actions i can run the JSON test and sent API successfuly to CheckPoint belows: 

So, the issue here is whether, in the case that I cannot integrate the Radius Server, there is a way for CPPM to retrieve the login parameters of the OnGuard user and send them to CheckPoint. If so, please guide me on how to do this. Thank you! 

Can you show me:
1. The logs of the RADIUS attempt from the Access Tracker.  I am looking for " INFO Core.PETaskPostAuthEnfProfileBuilder - sendPostAuthHTTPRequest: Sending PostAuthEnfRequest {"content" 

2. The Authorization Attributes from the tracker log.

3. The Endpoint Context Server config for the checkpoint - the config for all tabs.

4. The Context Server Actions - config for all tabs

5. Your Post-Authentication profile - the first page of that will give me all the details.

Question:
What version/firmware is your checkpoint running?

Other thing to try:
You can use postman to run the JSON directly against the checkpoint to test what you need to run for this to work.  If you do not know how to do this, I can walk you through it at a later point after we check the CPPM config.

Hi, thank for your feedback. I have tried according to your suggestion: 

My configure: 

At Endpoint Repository

And at Context Server Actions 

Result: Failed - when i tried to manual send by Server Actions at Access Tracker i got error 500: Internal Error 

Kindly help me with this issue, tks! 

I wish TAC support wasn't so bad....  Aruba is really going to die off at this point.

Use this:

{
   "Shared-secret": "",
   "user": "%{Radius:IETF:User-Name}",
   "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
}

You need to add that Attribute (IP Address) to the Endpoints Repository:
CPPM -> Configuration -> Authentication -> Sources -> Authentication Sources - [Endpoints Repository]

Attributes -> Add More Filters:
Filter Name: IP Address
Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
Name: ip
Alias Name: IP Address
Data Type: String
Enabled As: Attribute

Let me know if this works for you or not.

I have worked with Aruba TAC and there is no way for HTTP Based Enforcement to encapsulate User information during the Authentication process to send to CheckPoint. Therefore, I must revert to the option of using the Session Notification Enforcement profile with RADIUS Accounting. 

So currently, I am confused about integrating with the Radius Server. How do I connect ClearPass and Checkpoint Firewall with Radius? How do I configure ClearPass? How can there be an accounting service when a User logs in to OnGuard? Please help me :) 

ClearPass will need to know/learn the client IP address through (RADIUS) Accounting. Do you see in Access Tracker an Accounting tab? Does it show the client's IP address there?

RADIUS Accounting needs to be enabled on your switch/ap/controller;

In ClearPass make sure that 'Log Interim-Accounting' is enabled as well to process accounting updates and not only the start-stop.

If you see %{ip} that means that there is no IP information for that client.

update for my issue, Currently, we have resolved the issue for ClearPass to automatically send an API to Checkpoint. However, we are encountering an issue with the content that ClearPass sends. ClearPass is unable to retrieve the IP address value of the endpoint to include in the content, as shown in the Wireshark message below.

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

Yes, when i use "ip-address": "%{ip}" in content JSON, at Access Tracker --> Server Actions i can send API successful to Checkpoint that i replied below: 

In Access Tracker --> Input we can see at Computed Attributes all parameter what we need but dont know how to configure CPPM to fetch these params to send 

Sorry - I misunderstood your setup and thought this was radius.

Lets try this:
Change your JOSN so that the IP address is manually set.  This will let us know if the issue is just the %{ip} not getting resolved.  If the manual IP address works then we need to figure out a variable that we can pass that will resolve.

change this:
"ip-address": "%{ip}"
to 
"ip-address": "192.168.31.174"

If manually setting the IP address in the JOSN works then I will need to see the details of the input tab so that I can see what data has the IP address of the client.  I do not use OnGuard so I do not know what the tracker normally looks like for onguard.

We just need to find the right variable to send to your JSON.

Tk for your feedback, 1st of all, we're not connecting CPPM to RADIUS server cus it's not in our Network so we're trying to use HTTP Based Enforcement Profile to trigger send API to Checkpoint. So at Access Tracker, we can see on Output --> RADIUS response mapping with Application Response below 

My  Endpoint Context Server config 

Context Server Actions config  

Post-Authentication profile 

We're using Checkpoint Firewall version R81.20 for lab. From Access Tracker --> Server Actions i can run the JSON test and sent API successfuly to CheckPoint belows: 

So, the issue here is whether, in the case that I cannot integrate the Radius Server, there is a way for CPPM to retrieve the login parameters of the OnGuard user and send them to CheckPoint. If so, please guide me on how to do this. Thank you! 

Can you show me:
1. The logs of the RADIUS attempt from the Access Tracker.  I am looking for " INFO Core.PETaskPostAuthEnfProfileBuilder - sendPostAuthHTTPRequest: Sending PostAuthEnfRequest {"content" 

2. The Authorization Attributes from the tracker log.

3. The Endpoint Context Server config for the checkpoint - the config for all tabs.

4. The Context Server Actions - config for all tabs

5. Your Post-Authentication profile - the first page of that will give me all the details.

Question:
What version/firmware is your checkpoint running?

Other thing to try:
You can use postman to run the JSON directly against the checkpoint to test what you need to run for this to work.  If you do not know how to do this, I can walk you through it at a later point after we check the CPPM config.

Hi, thank for your feedback. I have tried according to your suggestion: 

My configure: 

At Endpoint Repository

And at Context Server Actions 

Result: Failed - when i tried to manual send by Server Actions at Access Tracker i got error 500: Internal Error 

Kindly help me with this issue, tks! 

I wish TAC support wasn't so bad....  Aruba is really going to die off at this point.

Use this:

{
   "Shared-secret": "",
   "user": "%{Radius:IETF:User-Name}",
   "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
}

You need to add that Attribute (IP Address) to the Endpoints Repository:
CPPM -> Configuration -> Authentication -> Sources -> Authentication Sources - [Endpoints Repository]

Attributes -> Add More Filters:
Filter Name: IP Address
Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
Name: ip
Alias Name: IP Address
Data Type: String
Enabled As: Attribute

Let me know if this works for you or not.

I have worked with Aruba TAC and there is no way for HTTP Based Enforcement to encapsulate User information during the Authentication process to send to CheckPoint. Therefore, I must revert to the option of using the Session Notification Enforcement profile with RADIUS Accounting. 

So currently, I am confused about integrating with the Radius Server. How do I connect ClearPass and Checkpoint Firewall with Radius? How do I configure ClearPass? How can there be an accounting service when a User logs in to OnGuard? Please help me :) 

ClearPass will need to know/learn the client IP address through (RADIUS) Accounting. Do you see in Access Tracker an Accounting tab? Does it show the client's IP address there?

RADIUS Accounting needs to be enabled on your switch/ap/controller;

In ClearPass make sure that 'Log Interim-Accounting' is enabled as well to process accounting updates and not only the start-stop.

If you see %{ip} that means that there is no IP information for that client.

update for my issue, Currently, we have resolved the issue for ClearPass to automatically send an API to Checkpoint. However, we are encountering an issue with the content that ClearPass sends. ClearPass is unable to retrieve the IP address value of the endpoint to include in the content, as shown in the Wireshark message below.

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

I do not know OnGuard very well but I will try to help here.  This should make it so that you can see the IP Address in the Authorization Attributes and you will be able to use that in your post auth:



The issue you are having is that you can not pass the "computed attributes" during the post auth.

See if this works for you:

In the service you are using add the [Endpoints Repository] to Authorization tab under additional authorization sources.

In your role mapping add:

Make sure you still have the IP Address attribute manually added to the [Endpoints Repository]. 


{
   "Shared-secret": "",
   "user": "%{Radius:IETF:User-Name}",
   "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
}

You need to add that Attribute (IP Address) to the Endpoints Repository:
CPPM -> Configuration -> Authentication -> Sources -> Authentication Sources - [Endpoints Repository]

Attributes -> Add More Filters:
Filter Name: IP Address
Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
Name: ip
Alias Name: IP Address
Data Type: String
Enabled As: Attribute

Yes, when i use "ip-address": "%{ip}" in content JSON, at Access Tracker --> Server Actions i can send API successful to Checkpoint that i replied below: 

In Access Tracker --> Input we can see at Computed Attributes all parameter what we need but dont know how to configure CPPM to fetch these params to send 

Sorry - I misunderstood your setup and thought this was radius.

Lets try this:
Change your JOSN so that the IP address is manually set.  This will let us know if the issue is just the %{ip} not getting resolved.  If the manual IP address works then we need to figure out a variable that we can pass that will resolve.

change this:
"ip-address": "%{ip}"
to 
"ip-address": "192.168.31.174"

If manually setting the IP address in the JOSN works then I will need to see the details of the input tab so that I can see what data has the IP address of the client.  I do not use OnGuard so I do not know what the tracker normally looks like for onguard.

We just need to find the right variable to send to your JSON.

Tk for your feedback, 1st of all, we're not connecting CPPM to RADIUS server cus it's not in our Network so we're trying to use HTTP Based Enforcement Profile to trigger send API to Checkpoint. So at Access Tracker, we can see on Output --> RADIUS response mapping with Application Response below 

My  Endpoint Context Server config 

Context Server Actions config  

Post-Authentication profile 

We're using Checkpoint Firewall version R81.20 for lab. From Access Tracker --> Server Actions i can run the JSON test and sent API successfuly to CheckPoint belows: 

So, the issue here is whether, in the case that I cannot integrate the Radius Server, there is a way for CPPM to retrieve the login parameters of the OnGuard user and send them to CheckPoint. If so, please guide me on how to do this. Thank you! 

Can you show me:
1. The logs of the RADIUS attempt from the Access Tracker.  I am looking for " INFO Core.PETaskPostAuthEnfProfileBuilder - sendPostAuthHTTPRequest: Sending PostAuthEnfRequest {"content" 

2. The Authorization Attributes from the tracker log.

3. The Endpoint Context Server config for the checkpoint - the config for all tabs.

4. The Context Server Actions - config for all tabs

5. Your Post-Authentication profile - the first page of that will give me all the details.

Question:
What version/firmware is your checkpoint running?

Other thing to try:
You can use postman to run the JSON directly against the checkpoint to test what you need to run for this to work.  If you do not know how to do this, I can walk you through it at a later point after we check the CPPM config.

Hi, thank for your feedback. I have tried according to your suggestion: 

My configure: 

At Endpoint Repository

And at Context Server Actions 

Result: Failed - when i tried to manual send by Server Actions at Access Tracker i got error 500: Internal Error 

Kindly help me with this issue, tks! 

I wish TAC support wasn't so bad....  Aruba is really going to die off at this point.

Use this:

{
   "Shared-secret": "",
   "user": "%{Radius:IETF:User-Name}",
   "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
}

You need to add that Attribute (IP Address) to the Endpoints Repository:
CPPM -> Configuration -> Authentication -> Sources -> Authentication Sources - [Endpoints Repository]

Attributes -> Add More Filters:
Filter Name: IP Address
Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
Name: ip
Alias Name: IP Address
Data Type: String
Enabled As: Attribute

Let me know if this works for you or not.

I have worked with Aruba TAC and there is no way for HTTP Based Enforcement to encapsulate User information during the Authentication process to send to CheckPoint. Therefore, I must revert to the option of using the Session Notification Enforcement profile with RADIUS Accounting. 

So currently, I am confused about integrating with the Radius Server. How do I connect ClearPass and Checkpoint Firewall with Radius? How do I configure ClearPass? How can there be an accounting service when a User logs in to OnGuard? Please help me :) 

ClearPass will need to know/learn the client IP address through (RADIUS) Accounting. Do you see in Access Tracker an Accounting tab? Does it show the client's IP address there?

RADIUS Accounting needs to be enabled on your switch/ap/controller;

In ClearPass make sure that 'Log Interim-Accounting' is enabled as well to process accounting updates and not only the start-stop.

If you see %{ip} that means that there is no IP information for that client.

update for my issue, Currently, we have resolved the issue for ClearPass to automatically send an API to Checkpoint. However, we are encountering an issue with the content that ClearPass sends. ClearPass is unable to retrieve the IP address value of the endpoint to include in the content, as shown in the Wireshark message below.

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

Thank for you support, with your guide with Endpoint Repository i got "Authorization:[Endpoints Repository]:IP Address" in Access Tracker but i still facing with error 500 when try send api by manual belows: 

My content 

I do not know OnGuard very well but I will try to help here.  This should make it so that you can see the IP Address in the Authorization Attributes and you will be able to use that in your post auth:



The issue you are having is that you can not pass the "computed attributes" during the post auth.

See if this works for you:

In the service you are using add the [Endpoints Repository] to Authorization tab under additional authorization sources.

In your role mapping add:

Make sure you still have the IP Address attribute manually added to the [Endpoints Repository]. 


{
   "Shared-secret": "",
   "user": "%{Radius:IETF:User-Name}",
   "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
}

You need to add that Attribute (IP Address) to the Endpoints Repository:
CPPM -> Configuration -> Authentication -> Sources -> Authentication Sources - [Endpoints Repository]

Attributes -> Add More Filters:
Filter Name: IP Address
Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
Name: ip
Alias Name: IP Address
Data Type: String
Enabled As: Attribute

Yes, when i use "ip-address": "%{ip}" in content JSON, at Access Tracker --> Server Actions i can send API successful to Checkpoint that i replied below: 

In Access Tracker --> Input we can see at Computed Attributes all parameter what we need but dont know how to configure CPPM to fetch these params to send 

Sorry - I misunderstood your setup and thought this was radius.

Lets try this:
Change your JOSN so that the IP address is manually set.  This will let us know if the issue is just the %{ip} not getting resolved.  If the manual IP address works then we need to figure out a variable that we can pass that will resolve.

change this:
"ip-address": "%{ip}"
to 
"ip-address": "192.168.31.174"

If manually setting the IP address in the JOSN works then I will need to see the details of the input tab so that I can see what data has the IP address of the client.  I do not use OnGuard so I do not know what the tracker normally looks like for onguard.

We just need to find the right variable to send to your JSON.

Tk for your feedback, 1st of all, we're not connecting CPPM to RADIUS server cus it's not in our Network so we're trying to use HTTP Based Enforcement Profile to trigger send API to Checkpoint. So at Access Tracker, we can see on Output --> RADIUS response mapping with Application Response below 

My  Endpoint Context Server config 

Context Server Actions config  

Post-Authentication profile 

We're using Checkpoint Firewall version R81.20 for lab. From Access Tracker --> Server Actions i can run the JSON test and sent API successfuly to CheckPoint belows: 

So, the issue here is whether, in the case that I cannot integrate the Radius Server, there is a way for CPPM to retrieve the login parameters of the OnGuard user and send them to CheckPoint. If so, please guide me on how to do this. Thank you! 

Can you show me:
1. The logs of the RADIUS attempt from the Access Tracker.  I am looking for " INFO Core.PETaskPostAuthEnfProfileBuilder - sendPostAuthHTTPRequest: Sending PostAuthEnfRequest {"content" 

2. The Authorization Attributes from the tracker log.

3. The Endpoint Context Server config for the checkpoint - the config for all tabs.

4. The Context Server Actions - config for all tabs

5. Your Post-Authentication profile - the first page of that will give me all the details.

Question:
What version/firmware is your checkpoint running?

Other thing to try:
You can use postman to run the JSON directly against the checkpoint to test what you need to run for this to work.  If you do not know how to do this, I can walk you through it at a later point after we check the CPPM config.

Hi, thank for your feedback. I have tried according to your suggestion: 

My configure: 

At Endpoint Repository

And at Context Server Actions 

Result: Failed - when i tried to manual send by Server Actions at Access Tracker i got error 500: Internal Error 

Kindly help me with this issue, tks! 

I wish TAC support wasn't so bad....  Aruba is really going to die off at this point.

Use this:

{
   "Shared-secret": "",
   "user": "%{Radius:IETF:User-Name}",
   "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
}

You need to add that Attribute (IP Address) to the Endpoints Repository:
CPPM -> Configuration -> Authentication -> Sources -> Authentication Sources - [Endpoints Repository]

Attributes -> Add More Filters:
Filter Name: IP Address
Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
Name: ip
Alias Name: IP Address
Data Type: String
Enabled As: Attribute

Let me know if this works for you or not.

I have worked with Aruba TAC and there is no way for HTTP Based Enforcement to encapsulate User information during the Authentication process to send to CheckPoint. Therefore, I must revert to the option of using the Session Notification Enforcement profile with RADIUS Accounting. 

So currently, I am confused about integrating with the Radius Server. How do I connect ClearPass and Checkpoint Firewall with Radius? How do I configure ClearPass? How can there be an accounting service when a User logs in to OnGuard? Please help me :) 

ClearPass will need to know/learn the client IP address through (RADIUS) Accounting. Do you see in Access Tracker an Accounting tab? Does it show the client's IP address there?

RADIUS Accounting needs to be enabled on your switch/ap/controller;

In ClearPass make sure that 'Log Interim-Accounting' is enabled as well to process accounting updates and not only the start-stop.

If you see %{ip} that means that there is no IP information for that client.

update for my issue, Currently, we have resolved the issue for ClearPass to automatically send an API to Checkpoint. However, we are encountering an issue with the content that ClearPass sends. ClearPass is unable to retrieve the IP address value of the endpoint to include in the content, as shown in the Wireshark message below.

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

Lets try creating a Session Notification Enforcement and using that instead.

Configuration -> Enforcement -> Profiles - New
Template - Session Notification Enforcement
Name - SOMETHING
Description - SOMETHING

Attributes:
Session-Notify - Server Type - Generic HTTP Context Server
Session-Notify - Server IP - 10.155.20.210
Session-Notify - Login Action - Checkpoint Login
Session-Notify - Logout Action - Checkpoint logoff

Thank for you support, with your guide with Endpoint Repository i got "Authorization:[Endpoints Repository]:IP Address" in Access Tracker but i still facing with error 500 when try send api by manual belows: 

My content 

I do not know OnGuard very well but I will try to help here.  This should make it so that you can see the IP Address in the Authorization Attributes and you will be able to use that in your post auth:



The issue you are having is that you can not pass the "computed attributes" during the post auth.

See if this works for you:

In the service you are using add the [Endpoints Repository] to Authorization tab under additional authorization sources.

In your role mapping add:

Make sure you still have the IP Address attribute manually added to the [Endpoints Repository]. 


{
   "Shared-secret": "",
   "user": "%{Radius:IETF:User-Name}",
   "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
}

You need to add that Attribute (IP Address) to the Endpoints Repository:
CPPM -> Configuration -> Authentication -> Sources -> Authentication Sources - [Endpoints Repository]

Attributes -> Add More Filters:
Filter Name: IP Address
Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
Name: ip
Alias Name: IP Address
Data Type: String
Enabled As: Attribute

Yes, when i use "ip-address": "%{ip}" in content JSON, at Access Tracker --> Server Actions i can send API successful to Checkpoint that i replied below: 

In Access Tracker --> Input we can see at Computed Attributes all parameter what we need but dont know how to configure CPPM to fetch these params to send 

Sorry - I misunderstood your setup and thought this was radius.

Lets try this:
Change your JOSN so that the IP address is manually set.  This will let us know if the issue is just the %{ip} not getting resolved.  If the manual IP address works then we need to figure out a variable that we can pass that will resolve.

change this:
"ip-address": "%{ip}"
to 
"ip-address": "192.168.31.174"

If manually setting the IP address in the JOSN works then I will need to see the details of the input tab so that I can see what data has the IP address of the client.  I do not use OnGuard so I do not know what the tracker normally looks like for onguard.

We just need to find the right variable to send to your JSON.

Tk for your feedback, 1st of all, we're not connecting CPPM to RADIUS server cus it's not in our Network so we're trying to use HTTP Based Enforcement Profile to trigger send API to Checkpoint. So at Access Tracker, we can see on Output --> RADIUS response mapping with Application Response below 

My  Endpoint Context Server config 

Context Server Actions config  

Post-Authentication profile 

We're using Checkpoint Firewall version R81.20 for lab. From Access Tracker --> Server Actions i can run the JSON test and sent API successfuly to CheckPoint belows: 

So, the issue here is whether, in the case that I cannot integrate the Radius Server, there is a way for CPPM to retrieve the login parameters of the OnGuard user and send them to CheckPoint. If so, please guide me on how to do this. Thank you! 

Can you show me:
1. The logs of the RADIUS attempt from the Access Tracker.  I am looking for " INFO Core.PETaskPostAuthEnfProfileBuilder - sendPostAuthHTTPRequest: Sending PostAuthEnfRequest {"content" 

2. The Authorization Attributes from the tracker log.

3. The Endpoint Context Server config for the checkpoint - the config for all tabs.

4. The Context Server Actions - config for all tabs

5. Your Post-Authentication profile - the first page of that will give me all the details.

Question:
What version/firmware is your checkpoint running?

Other thing to try:
You can use postman to run the JSON directly against the checkpoint to test what you need to run for this to work.  If you do not know how to do this, I can walk you through it at a later point after we check the CPPM config.

Hi, thank for your feedback. I have tried according to your suggestion: 

My configure: 

At Endpoint Repository

And at Context Server Actions 

Result: Failed - when i tried to manual send by Server Actions at Access Tracker i got error 500: Internal Error 

Kindly help me with this issue, tks! 

I wish TAC support wasn't so bad....  Aruba is really going to die off at this point.

Use this:

{
   "Shared-secret": "",
   "user": "%{Radius:IETF:User-Name}",
   "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
}

You need to add that Attribute (IP Address) to the Endpoints Repository:
CPPM -> Configuration -> Authentication -> Sources -> Authentication Sources - [Endpoints Repository]

Attributes -> Add More Filters:
Filter Name: IP Address
Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
Name: ip
Alias Name: IP Address
Data Type: String
Enabled As: Attribute

Let me know if this works for you or not.

I have worked with Aruba TAC and there is no way for HTTP Based Enforcement to encapsulate User information during the Authentication process to send to CheckPoint. Therefore, I must revert to the option of using the Session Notification Enforcement profile with RADIUS Accounting. 

So currently, I am confused about integrating with the Radius Server. How do I connect ClearPass and Checkpoint Firewall with Radius? How do I configure ClearPass? How can there be an accounting service when a User logs in to OnGuard? Please help me :) 

ClearPass will need to know/learn the client IP address through (RADIUS) Accounting. Do you see in Access Tracker an Accounting tab? Does it show the client's IP address there?

RADIUS Accounting needs to be enabled on your switch/ap/controller;

In ClearPass make sure that 'Log Interim-Accounting' is enabled as well to process accounting updates and not only the start-stop.

If you see %{ip} that means that there is no IP information for that client.

update for my issue, Currently, we have resolved the issue for ClearPass to automatically send an API to Checkpoint. However, we are encountering an issue with the content that ClearPass sends. ClearPass is unable to retrieve the IP address value of the endpoint to include in the content, as shown in the Wireshark message below.

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

Yes, i created Session Nortification Enforcement Profile and mapped it in Services. My result above is manually send from Access Tracker to test. 

Lets try creating a Session Notification Enforcement and using that instead.

Configuration -> Enforcement -> Profiles - New
Template - Session Notification Enforcement
Name - SOMETHING
Description - SOMETHING

Attributes:
Session-Notify - Server Type - Generic HTTP Context Server
Session-Notify - Server IP - 10.155.20.210
Session-Notify - Login Action - Checkpoint Login
Session-Notify - Logout Action - Checkpoint logoff

Thank for you support, with your guide with Endpoint Repository i got "Authorization:[Endpoints Repository]:IP Address" in Access Tracker but i still facing with error 500 when try send api by manual belows: 

My content 

I do not know OnGuard very well but I will try to help here.  This should make it so that you can see the IP Address in the Authorization Attributes and you will be able to use that in your post auth:



The issue you are having is that you can not pass the "computed attributes" during the post auth.

See if this works for you:

In the service you are using add the [Endpoints Repository] to Authorization tab under additional authorization sources.

In your role mapping add:

Make sure you still have the IP Address attribute manually added to the [Endpoints Repository]. 


{
   "Shared-secret": "",
   "user": "%{Radius:IETF:User-Name}",
   "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
}

You need to add that Attribute (IP Address) to the Endpoints Repository:
CPPM -> Configuration -> Authentication -> Sources -> Authentication Sources - [Endpoints Repository]

Attributes -> Add More Filters:
Filter Name: IP Address
Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
Name: ip
Alias Name: IP Address
Data Type: String
Enabled As: Attribute

Yes, when i use "ip-address": "%{ip}" in content JSON, at Access Tracker --> Server Actions i can send API successful to Checkpoint that i replied below: 

In Access Tracker --> Input we can see at Computed Attributes all parameter what we need but dont know how to configure CPPM to fetch these params to send 

Sorry - I misunderstood your setup and thought this was radius.

Lets try this:
Change your JOSN so that the IP address is manually set.  This will let us know if the issue is just the %{ip} not getting resolved.  If the manual IP address works then we need to figure out a variable that we can pass that will resolve.

change this:
"ip-address": "%{ip}"
to 
"ip-address": "192.168.31.174"

If manually setting the IP address in the JOSN works then I will need to see the details of the input tab so that I can see what data has the IP address of the client.  I do not use OnGuard so I do not know what the tracker normally looks like for onguard.

We just need to find the right variable to send to your JSON.

Tk for your feedback, 1st of all, we're not connecting CPPM to RADIUS server cus it's not in our Network so we're trying to use HTTP Based Enforcement Profile to trigger send API to Checkpoint. So at Access Tracker, we can see on Output --> RADIUS response mapping with Application Response below 

My  Endpoint Context Server config 

Context Server Actions config  

Post-Authentication profile 

We're using Checkpoint Firewall version R81.20 for lab. From Access Tracker --> Server Actions i can run the JSON test and sent API successfuly to CheckPoint belows: 

So, the issue here is whether, in the case that I cannot integrate the Radius Server, there is a way for CPPM to retrieve the login parameters of the OnGuard user and send them to CheckPoint. If so, please guide me on how to do this. Thank you! 

Can you show me:
1. The logs of the RADIUS attempt from the Access Tracker.  I am looking for " INFO Core.PETaskPostAuthEnfProfileBuilder - sendPostAuthHTTPRequest: Sending PostAuthEnfRequest {"content" 

2. The Authorization Attributes from the tracker log.

3. The Endpoint Context Server config for the checkpoint - the config for all tabs.

4. The Context Server Actions - config for all tabs

5. Your Post-Authentication profile - the first page of that will give me all the details.

Question:
What version/firmware is your checkpoint running?

Other thing to try:
You can use postman to run the JSON directly against the checkpoint to test what you need to run for this to work.  If you do not know how to do this, I can walk you through it at a later point after we check the CPPM config.

Hi, thank for your feedback. I have tried according to your suggestion: 

My configure: 

At Endpoint Repository

And at Context Server Actions 

Result: Failed - when i tried to manual send by Server Actions at Access Tracker i got error 500: Internal Error 

Kindly help me with this issue, tks! 

I wish TAC support wasn't so bad....  Aruba is really going to die off at this point.

Use this:

{
   "Shared-secret": "",
   "user": "%{Radius:IETF:User-Name}",
   "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
}

You need to add that Attribute (IP Address) to the Endpoints Repository:
CPPM -> Configuration -> Authentication -> Sources -> Authentication Sources - [Endpoints Repository]

Attributes -> Add More Filters:
Filter Name: IP Address
Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
Name: ip
Alias Name: IP Address
Data Type: String
Enabled As: Attribute

Let me know if this works for you or not.

I have worked with Aruba TAC and there is no way for HTTP Based Enforcement to encapsulate User information during the Authentication process to send to CheckPoint. Therefore, I must revert to the option of using the Session Notification Enforcement profile with RADIUS Accounting. 

So currently, I am confused about integrating with the Radius Server. How do I connect ClearPass and Checkpoint Firewall with Radius? How do I configure ClearPass? How can there be an accounting service when a User logs in to OnGuard? Please help me :) 

ClearPass will need to know/learn the client IP address through (RADIUS) Accounting. Do you see in Access Tracker an Accounting tab? Does it show the client's IP address there?

RADIUS Accounting needs to be enabled on your switch/ap/controller;

In ClearPass make sure that 'Log Interim-Accounting' is enabled as well to process accounting updates and not only the start-stop.

If you see %{ip} that means that there is no IP information for that client.

update for my issue, Currently, we have resolved the issue for ClearPass to automatically send an API to Checkpoint. However, we are encountering an issue with the content that ClearPass sends. ClearPass is unable to retrieve the IP address value of the endpoint to include in the content, as shown in the Wireshark message below.

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

Your Post authentication profile above looks like HTTP type enforcement and not a "Session Notification Enforcement".

Can you send the access tracker logs for for the test client.

Yes, i created Session Nortification Enforcement Profile and mapped it in Services. My result above is manually send from Access Tracker to test. 

Lets try creating a Session Notification Enforcement and using that instead.

Configuration -> Enforcement -> Profiles - New
Template - Session Notification Enforcement
Name - SOMETHING
Description - SOMETHING

Attributes:
Session-Notify - Server Type - Generic HTTP Context Server
Session-Notify - Server IP - 10.155.20.210
Session-Notify - Login Action - Checkpoint Login
Session-Notify - Logout Action - Checkpoint logoff

Thank for you support, with your guide with Endpoint Repository i got "Authorization:[Endpoints Repository]:IP Address" in Access Tracker but i still facing with error 500 when try send api by manual belows: 

My content 

I do not know OnGuard very well but I will try to help here.  This should make it so that you can see the IP Address in the Authorization Attributes and you will be able to use that in your post auth:



The issue you are having is that you can not pass the "computed attributes" during the post auth.

See if this works for you:

In the service you are using add the [Endpoints Repository] to Authorization tab under additional authorization sources.

In your role mapping add:

Make sure you still have the IP Address attribute manually added to the [Endpoints Repository]. 


{
   "Shared-secret": "",
   "user": "%{Radius:IETF:User-Name}",
   "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
}

You need to add that Attribute (IP Address) to the Endpoints Repository:
CPPM -> Configuration -> Authentication -> Sources -> Authentication Sources - [Endpoints Repository]

Attributes -> Add More Filters:
Filter Name: IP Address
Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
Name: ip
Alias Name: IP Address
Data Type: String
Enabled As: Attribute

Yes, when i use "ip-address": "%{ip}" in content JSON, at Access Tracker --> Server Actions i can send API successful to Checkpoint that i replied below: 

In Access Tracker --> Input we can see at Computed Attributes all parameter what we need but dont know how to configure CPPM to fetch these params to send 

Sorry - I misunderstood your setup and thought this was radius.

Lets try this:
Change your JOSN so that the IP address is manually set.  This will let us know if the issue is just the %{ip} not getting resolved.  If the manual IP address works then we need to figure out a variable that we can pass that will resolve.

change this:
"ip-address": "%{ip}"
to 
"ip-address": "192.168.31.174"

If manually setting the IP address in the JOSN works then I will need to see the details of the input tab so that I can see what data has the IP address of the client.  I do not use OnGuard so I do not know what the tracker normally looks like for onguard.

We just need to find the right variable to send to your JSON.

Tk for your feedback, 1st of all, we're not connecting CPPM to RADIUS server cus it's not in our Network so we're trying to use HTTP Based Enforcement Profile to trigger send API to Checkpoint. So at Access Tracker, we can see on Output --> RADIUS response mapping with Application Response below 

My  Endpoint Context Server config 

Context Server Actions config  

Post-Authentication profile 

We're using Checkpoint Firewall version R81.20 for lab. From Access Tracker --> Server Actions i can run the JSON test and sent API successfuly to CheckPoint belows: 

So, the issue here is whether, in the case that I cannot integrate the Radius Server, there is a way for CPPM to retrieve the login parameters of the OnGuard user and send them to CheckPoint. If so, please guide me on how to do this. Thank you! 

Can you show me:
1. The logs of the RADIUS attempt from the Access Tracker.  I am looking for " INFO Core.PETaskPostAuthEnfProfileBuilder - sendPostAuthHTTPRequest: Sending PostAuthEnfRequest {"content" 

2. The Authorization Attributes from the tracker log.

3. The Endpoint Context Server config for the checkpoint - the config for all tabs.

4. The Context Server Actions - config for all tabs

5. Your Post-Authentication profile - the first page of that will give me all the details.

Question:
What version/firmware is your checkpoint running?

Other thing to try:
You can use postman to run the JSON directly against the checkpoint to test what you need to run for this to work.  If you do not know how to do this, I can walk you through it at a later point after we check the CPPM config.

Hi, thank for your feedback. I have tried according to your suggestion: 

My configure: 

At Endpoint Repository

And at Context Server Actions 

Result: Failed - when i tried to manual send by Server Actions at Access Tracker i got error 500: Internal Error 

Kindly help me with this issue, tks! 

I wish TAC support wasn't so bad....  Aruba is really going to die off at this point.

Use this:

{
   "Shared-secret": "",
   "user": "%{Radius:IETF:User-Name}",
   "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
}

You need to add that Attribute (IP Address) to the Endpoints Repository:
CPPM -> Configuration -> Authentication -> Sources -> Authentication Sources - [Endpoints Repository]

Attributes -> Add More Filters:
Filter Name: IP Address
Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
Name: ip
Alias Name: IP Address
Data Type: String
Enabled As: Attribute

Let me know if this works for you or not.

I have worked with Aruba TAC and there is no way for HTTP Based Enforcement to encapsulate User information during the Authentication process to send to CheckPoint. Therefore, I must revert to the option of using the Session Notification Enforcement profile with RADIUS Accounting. 

So currently, I am confused about integrating with the Radius Server. How do I connect ClearPass and Checkpoint Firewall with Radius? How do I configure ClearPass? How can there be an accounting service when a User logs in to OnGuard? Please help me :) 

ClearPass will need to know/learn the client IP address through (RADIUS) Accounting. Do you see in Access Tracker an Accounting tab? Does it show the client's IP address there?

RADIUS Accounting needs to be enabled on your switch/ap/controller;

In ClearPass make sure that 'Log Interim-Accounting' is enabled as well to process accounting updates and not only the start-stop.

If you see %{ip} that means that there is no IP information for that client.

update for my issue, Currently, we have resolved the issue for ClearPass to automatically send an API to Checkpoint. However, we are encountering an issue with the content that ClearPass sends. ClearPass is unable to retrieve the IP address value of the endpoint to include in the content, as shown in the Wireshark message below.

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks!