Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Jamf Pro context server - Bearer token authentication?

This thread has been viewed 19 times
  • 1.  Jamf Pro context server - Bearer token authentication?

    Posted Aug 27, 2024 09:52 AM

    Hello there..

    We've been using Jamf Pro as just a context server. It's been working properly until recently. My understanding is once they stopped allowing basic user authentication, you could enable bearer token authentication to continue using the user account in Jamf.

    But, enabling this, results in several error messages per SECOND showing under Events:

    "Failed to fetch Endpoint details from jss.pds.org Error code: 401 Verify Proxy settings, Server credentials and retry."

    Have a case with TAC, but the first thing they said is that Clearpass doesn't support OAUTH authentication, even though this is an option - TAC first line of support recently leaves a lot to be desired to be honest..

    Any ideas?



    ------------------------------
    ---
    °(((=((===°°°(((=================================
    ------------------------------


  • 2.  RE: Jamf Pro context server - Bearer token authentication?

    Posted Aug 28, 2024 11:16 AM

    If you don't get a proper answer from first line: escalate the ticket.

    And it may help to not provide a semi-solution, like using OAUTH and you may get the response that it's not supported. Just ask them to solve the issue with the JAMF integration, so the 401 errors that you see in the logs. There must be other users with the same issue, if JAMF stopped supporting the authentication that the extension uses; so escalate as much as possible till you have an answer; this may need engineering work and for that reason it's important to get this to engineering rather sooner than later (if it's not a config error from your side).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Jamf Pro context server - Bearer token authentication?

    Posted Aug 28, 2024 11:39 AM

    I did an internal call, and apparently it's expected that the JAMF context servers don't work; and you should use the Extension instead. There is a tech note on the JAMF Pro extension here.

    Can you try that?

    Update: Bearer token should work with the standard context server, for OAuth use the extension.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: Jamf Pro context server - Bearer token authentication?

    Posted Sep 04, 2024 02:03 PM

    Hi Herman,

    For some reason, when we enable Bearer token, we are getting lots of errors, even though it seems to be retrieving "some" attributes (we noticed we are not getting groups all of a sudden).

    Here's what TAC was able to see. We are trying to coordinate a 3way call with Jamf.



    ------------------------------
    ---
    °(((=((===°°°(((=================================
    ------------------------------



  • 5.  RE: Jamf Pro context server - Bearer token authentication?

    Posted Sep 09, 2024 10:13 AM

    I'm in the same boat. JAMF upgraded and removed basic auth. 
    Enabling bearer token authentication is just returning the error posted by OP (su_A_ve). 

    I have never worked with JAMF extension before.
    Is the original JAMF connector in ClearPass broke and needs update? I'm in CP-6.11.9

    Any update will be helpful.




  • 6.  RE: Jamf Pro context server - Bearer token authentication?

    Posted Sep 09, 2024 03:31 PM
    Update - we had a 3way call with Aruba and Jamf.

    Bottom line, the Context Server option within CPPM is broken. Bearer token seems to work, but produces tens of errors per second until all records are pulled. It seems that CPPM is trying to authenticate again, but Jamf says, "hey, you have a valid token - use that" and returns a 401 error.

    Next was to create an API role within Jamf, and a new API user. We tried using OAUTH in the context server, but it would always say "invalid token" (even though it was verified correct.

    We then moved to use the extension in Clearpass guest. There was an extension installed but if you update, you don't get the proper configuration options to enter the token info. We uninstalled it and installed it again. Then we were able to add the token and it worked.

    We did have to change some of the enforcement policies since now everything comes in under JAMF. For example, "JAMF Group Names" instead of "Group Names"