Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Generic HTTP Context Server OAuth Error

This thread has been viewed 21 times
  • 1.  Generic HTTP Context Server OAuth Error

    Posted Feb 26, 2024 08:22 PM

    Hi folks, 

    I'm attempting to add a Generic HTTP Context Server that requires OAuth2 (grant_type=client_credentials). After entering required fields, I get an error when I click the "validate" button saying "Invalid OAuth2 credentials". I've got the same client id/secret set up in Postman just fine. 

    Any tips on troubleshooting this? Is there a debug I can enable to see what kind of response I got from the token endpoint? The server will accept client id/secret in body or as an Authorization header using Basic auth, so I don't think that's the problem. Not sure what else it could be though.



  • 2.  RE: Generic HTTP Context Server OAuth Error

    EMPLOYEE
    Posted Feb 27, 2024 03:38 AM

    There is not so much information in your request, like how you entered the credentials in the ClearPass Context server, or in Postman that you used for testing, nor on the application that you try to reach.

    In that situation, I would setup a PHP script that records all headers and payload of the HTTPS request and fire both ClearPass and Postman to that script to compare and find the differences. It may be some additional header that is required and missing. It may be possible to increase logging in ClearPass, but I would not know which log to increase, and dumping the requests and compare worked for me in the past.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Generic HTTP Context Server OAuth Error

    Posted Feb 27, 2024 10:21 AM

    Thanks for the reply, Herman!

    I tried your suggestion with Python instead of PHP. 

    Found that ClearPass is sending body as application/json where as server only accepts application/x-www-form-urlencoded.

    Also seems that x-www-form-urlencoded is mandatory per spec: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1

    Any suggestions for how to proceed?




  • 4.  RE: Generic HTTP Context Server OAuth Error

    EMPLOYEE
    Posted Feb 27, 2024 12:00 PM

    That is not something that I can test very easy. If there are no other responses here, can you open a case with TAC? The OAuth2 is relatively new, or I just did not see the option before. There was a Universal Authentication Proxy in the past that took care of this... if code changes have to be done, it may be worth having a look at that if it still works.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Generic HTTP Context Server OAuth Error

    Posted Feb 27, 2024 02:05 PM

    I have opened a TAC case. Was not aware of the UAP extension, but will see if it fits my use case in the interim.