Security

Last year I was able to get CPPM to pass the vsys logs to my paloalto firewall for user autherntication to get the correct firewall profiles.  I recently got an iBoss web filter, I'd like to have CPPM pass user info to the content filter as well.  Has anyone got any information on how to get this working?  CPPM is on version 6.5 and the iBoss is on the latest version of 7.

 

Thanks for any info!

Most filters have an open API, syslog, or proxy accounting. Here are some examples of other third party integration. I took a quick look at Iboss website and couldn't find any data on if they accept data external. You would need to contact iBoss and see what options you have. As of 6.5 you can proxy accounting from CPPM. 

 

http://community.arubanetworks.com/t5/ClearPass-Exchange-Recipes/tkbc-p/clearpass-recipes

 

 

I can add that we are in some discussions to see if we can provide an integrated solution with iBoss.

 

Once I know a little more detail I can post back here.

Reviving an old thread... 

 

I take it the native integration never panned out? Does anyone know if a Windows Network Policy Server is required with iBoss?

 

 

I have this working here in the LAB.

 

But you need a fix that is coming in 6.5.2 (mid June) to allow the integration to work as I found a bug during my integration work.

 

Message me at danny@arubanetworks.com and I'll share a DRAFT TechNote on the integration to show you how it works......

That is great news!

 

Are you using MS NPS to proxy the radius messages or can iboss digest them directly?

 

Thanks

Its a DIRECT integration using RESTful API's

 

Send me an email and I'll share my DRAFT (its complete) TechNote and you can see if what you want to achieve is plausible with my integration.

I did the API integration with iboss and I can see the packet post to the appliance using the IP addresss and will log users in but when the logoff is triggered I see the packet arrive at iBoss but when I go to see if that user is still logged in they are.  I cannot get the logout proccess to work.

 

has anyone do this if so what version of iBoss?  

 

Does iBoss have a document on the API?

 

-Thanks

We are currently attempting to do this as well and noticing the same situation. We are running IBoss verion 7.0.10.35  and Clearpass version 6.5.4.

 

Still working on it and have a case into Iboss.

@netbum  &  @TechCanoe99

 

Please update me and this thread as you progress this with iboss. I'm extremely keen to understand the outcome so that my TechNote can be updated appropriately.

 

you can email me direct at danny@arubanetworks.com

 

Many Thanks

Will do I had a chance to talk with iBoss today but engineer was going to talk with others and get back to me. Our iboss is out of date. 7.0.10.20. So we need to upgrade outside this issue.

Scott,

 

Just FYI - when I did the integration with iboss my version [as documented in the technote] was much older than what you have today. Unfortunately I lost the instance of iboss they provided, I'm trying to get them to  lightup an instance for me again so we can re-test but I've not had much success it getting that delivered yet.

 

The version I used was 7.0.6.10 - also please ensure you are using [if possible] the latest version of CPPM [6.5.4].

 

Do U manage to get an update from iboss this week?

 

 

Cheers.

 

 

I was able to work on this on my own more and figured something out. I am not really sure what is the best way to do it becuase I don't know html code that well. I have it working now as it should. Once I find a clean way to do this I'll repost.

So in my testing I had to include &user=something in the Api log off. The something could be anything as long as it was not a valid username in iboss or your directory that you have intergradted with we used (LDAP).

We are attempting this integration, I have done everything in the technote, and I am having some successful requests seen in iBoss, however my failure rate is very high, and the SSO doesn't seem to work as I had hoped. My success rate only seems to be about 1/3 of the total requests, in SSO is very random. Is anyone else seeing this type of failure rate or do I have something wrong?

Ours is working as designed. We have our own issues and bugs that we had to work with. I am hoping by 2017 clearpass is handling all the iBoss logins.  

 

Have you done a Packet caputure on the iboss to see if you can see data coming from clearpass? you should be able to see all the login information. you should see very similar requests from Domain controller. We are not passing groups from clearpass instead letting iboss look those users up in LDAP to populate filtering policies. Doing Groups in Clearpass seemed too complicated. Looking in iboss I can tell if Clearpass logged the user in because the hostname will be present. (sent via the API)