Security

 View Only

  • 1.  User Blacklist

    Posted Feb 07, 2022 01:34 PM

    Problem: We have end-users using multiple email addresses to authenticate to our wireless network - either on the university vanity SSID or eduroam.  We would like a blacklist which Information Security can audit and edit which will deny access to users where that email address is embedded in their certificate or in the PEAP login via eduroam.

    Solution: well - I can figure out most of the solution except where to put the User Blacklist and how to make it accessible to Information Security.  My first thought was to create a Custom DB on our IPAM system (which hold most of our customizations in general).  I have a REST API call to the IPAM which works and returns a JSON of all the email addresses in question:

    [
    {
        "custom_db_data_id": "36015",
        "custom_db_name_id": "9",
        "descr": "List of users which cannot use the network",
        "errno": "0",
        "label1": "Email Address",
        "label10": "",
        "label2": "",
        "label3": "",
        "label4": "",
        "label5": "",
        "label6": "",
        "label7": "",
        "label8": "",
        "label9": "",
        "name": "User-BlackList",
        "read_only": "0",
        "type": "WPI",
        "value1": "bjhiggins@wpi.edu",
        "value10": "",
        "value2": "",
        "value3": "",
        "value4": "",
        "value5": "",
        "value6": "",
        "value7": "",
        "value8": "",
        "value9": ""
    }
]


    As you can see, I was a bad boy and should not be able to access our network anymore.  The question is how can ClearPass consume this data to make it usable.  I was thinking about using an "Authentication Source" as that can query an HTTP source.  But I'm not entirely certain which boxes to fill in and with what.  

    I assume I would put "http://10.215.32.106/rest" in the Primary -> Base URL field.  Then in Attributes, I would create a new filter that I can put as Filter Query the remainder of the URL "/rest/custom_db_data_list/WHERE/name%3D%27User-Blacklist%27+and+value1+LIKE+%27%25%{Authentication:Username}%25%27" (forgive URL encoding) ...  And that's as far as I get.  So my questions become:

    - Is this the right place to put an external User Blacklist? 
    - Is there a better way to do it either externally or internal to CPPM?
    - Does CPPM understand JSON in this way?  If so can I create a Boolean?  If something is returned, the Boolean makes Attribute Denied TRUE ... if nothing is returned the Boolean makes Attribute Denied FALSE

    This is mostly just spit-balling and testing - I would love to hear if anyone else had implemented this differently/better.

    Thanks!



    ------------------------------
    Ben Higgins
    ------------------------------


  • 2.  RE: User Blacklist

    Posted Feb 07, 2022 02:32 PM
    There are few different ways this can be done. HTTP authorization source is one way. ClearPass can consume json response, extract the attributes and use it as part of policy enforcement. Note that HTTP authz source only supports basic authentication. For the attribute parsing, under HTTP auth source you need to add name of attributes that you want to parse which in your case seems to be "value1" assuming value1 will always be email.

    Another option would be add these blacklisted emails to guest repository with a role name as "blacklisted" and use guest user repository as an authorization source and restrict access based on the role.

    Third option would be using APIs to tag endpoint with attributes that mark the endpoint as non-compliant.

    ------------------------------
    Mathew George
    ------------------------------

    Original Message


Related Content