Security

Reply
Highlighted
Contributor I

CPPM - EndPoint Context Server to EfficientIP

We are experimenting with ways to auto-register new devices with our IPAM Solution, EfficientIP SOLIDServer.

 

In order to communicate with the EIP API, we need to:

   - Do a rest call to https://1.2.3.4/rpc/some_query.php

   - Set the HTTP Header X-IPM-Username to the  base64_encode('adminuser')

   - Set the HTTP Header X-IPM-Password to the  base64_encode('password')

 

Unfortunately, when I setup the Endpoint Context Server and put in the  base64_encode value for Username, I recieve the error "Username contains special characters other than -, _, { }, [ ], ( ), period and space."  This is because the base64 encode of the user I am using has an = symbol in it.

 

1) Is there any way to get around this annoying error?

2) Can I put the un-encoded username/password in the Endpoint Context Server and have CPPM convert the value in the Endpoint Context Server Action?  Right now, the best I can think of is to set X-IPM-Username = %{Server.Username}.  

 

Any thoughts on how to do this natively in CPPM?

Benjamin J. Higgins (’97)
Worcester Polytechnic Institute
Guru Elite

Re: CPPM - EndPoint Context Server to EfficientIP

Take a look at the Universal Authentication Proxy Extension.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: CPPM - EndPoint Context Server to EfficientIP

That seems ... needlessly messy.  The EIP API call fits into the CPPM Endpoint Context Server mold with the exception of CPPM doesn't like an equal sign in the username.

 

The TechNote I found on the Universal Authentication Proxy (https://community.arubanetworks.com/t5/Security/NEW-TechNote-V1-ClearPass-and-Universal-Authentication-Proxy/td-p/297164) doesn't seem to address my issue of using base64_endode on the plain text username/password or fix the CPPM UI so that I can enter the appropraite data.

 

Am I missing something?  Has UAP evolved since 2017 and I just haven't found the correct TechNote yet?

Benjamin J. Higgins (’97)
Worcester Polytechnic Institute
Contributor I

Re: CPPM - EndPoint Context Server to EfficientIP

I think I found a way around this.  The Endpoint Context Server Actions have the ability to set the "Authentication Method" to None.  Then I can put the base64 encoded password and username in as Headers.

 

Unfortunately, the Endpoint Context Server itself sets "Authentication Method" to Basic, oAUTH or both.  There is no none option on the server.

 

Is there any way to remove the authentication from the Endpoint Context Server entry in lieu of this method of connecting to the REST API?

 

 

Benjamin J. Higgins (’97)
Worcester Polytechnic Institute
Moderator

Re: CPPM - EndPoint Context Server to EfficientIP

Ben,

 

Set the CS to Basic {don't config any creds} and set the CSA to None.


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: