Security

last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Cylance - Onboarding - Multiple auth source?

This thread has been viewed 6 times

  • 1.  Cylance - Onboarding - Multiple auth source?

    Posted Dec 03, 2019 01:30 AM

    Currently using AD as my authenication source for onboarding devices as a pre-requisite.

     

    We also want to use the Cylance Intergration Clearpass Extension - ie. we want to ensure that Cylance is installed as a pre-requisite for processing onboarding.

     

    However, the cylance integration guide mentions that it needs a seperate authentication source to used for this extension.

     

     Its not entirely clear - but should the cylance auth source be the authorisation element to my onboarding aruba application authentication service?



  • 2.  RE: Cylance - Onboarding - Multiple auth source?

    Posted Dec 03, 2019 08:55 PM

    Ok, I followed the cylance integration guide - but it omits the details regarding where to link it with your services.

     

    If I try to use it as the authorization source on my Onboarding Aruba Application Auth - it fails with;

     

    2019-12-04 11:44:10,651[RequestHandler-1-0x7f248f5fa700 r=W00000017-01-5de70f6a h=4287929 c=W00000017-01-5de70f6a] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
    2019-12-04 11:44:10,663[HttpModule-ThreadPool-20-0x7f250d2d2700 r=W00000017-01-5de70f6a h=146] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =?macAddress=%{Connection:Client-Mac-Address-Hyphen}, error=No values for param=Connection:Client-Mac-Address-Hyphen
    2019-12-04 11:44:10,663[HttpModule-ThreadPool-20-0x7f250d2d2700 r=W00000017-01-5de70f6a h=146] ERROR Http.HttpAutzSession - queryAutzAttributes: Failed to construct path from ?macAddress=%{Connection:Client-Mac-Address-Hyphen}
    2019-12-04 11:44:10,663[HttpModule-ThreadPool-20-0x7f250d2d2700 r=W00000017-01-5de70f6a h=146] ERROR Http.HttpAutzSession - Failed to get value for attributes=Host Name, Is Found, OS Version]
    2019-12-04 11:44:10,664[RequestHandler-1-0x7f248f5fa700 h=4287931 c=W00000017-01-5de70f6a] INFO Core.PETaskRoleMapping - Roles: Other], User Authenticated]

    If I try to use it as the authorization source on my Radius authenication I get the error;

     

    2019-12-04 11:26:38,792[RequestHandler-1-0x7f248f5fa700 r=R0002bebc-01-5de70b4e h=4283947 c=R0002bebc-01-5de70b4e] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
    2019-12-04 11:26:38,793

    [HttpModule-ThreadPool-4-0x7f2519910700 r=R0002bebc-01-5de70b4e h=130] ERROR Http.HttpAutzSession - HTTP attribute query returned error=404

     

    I've enabled DEBUG logging in the extension, but nothing is generated in the logging;

    [2019-12-03T13:38:31.210] [INFO] cylance - SSL Verification Enabled. (Config: "verifySSLCerts": true)
    [2019-12-03T13:38:31.220] [INFO] cylance - Server listening on port 80
    [2019-12-04T09:46:55.388] [DEBUG] cylance - Settings:
    [2019-12-04T09:46:55.393] [DEBUG] cylance - {
    "logLevel": "DEBUG",
    "verifySSLCerts": true,
    "cylanceSubDomain": "protectapi",
    "cylanceTenantId": "*****",
    "cylanceApplicationId": "*****",
    "cylanceApplicationSecret": "**********",
    "enableEndpointCache": false,
    "cppmUserName": "<<ClearPass User Name>>",
    "cppmPassword": "**********",
    "enableEndpointFullSync": false,
    "endpointSyncDelayMinutes": 10080,
    "includeThreatSummary": false,
    "fullSyncOnStart": false
    }
    [2019-12-04T09:46:55.394] [INFO] cylance - SSL Verification Enabled. (Config: "verifySSLCerts": true)
    [2019-12-04T09:46:55.394] [DEBUG] cylance - The API Url for CPPM is https://172.17.0.1/api.
    [2019-12-04T09:46:55.400] [INFO] cylance - Server listening on port 80

     

    Anyone successfully implemented this?



  • 3.  RE: Cylance - Onboarding - Multiple auth source?

    EMPLOYEE
    Posted Dec 03, 2019 10:01 PM

    You'd only be able to use it in your Onboard Authorization service.

     

    This type of flow isn't really recommended. If the devices are already under management, you shouldn't use Onboard Assisted Provisioning. OAP is designed for unmanaged devices.



  • 4.  RE: Cylance - Onboarding - Multiple auth source?

    Posted Dec 03, 2019 10:10 PM

    Hi Tim,

     

     Thanks for the info - although I'm not sure I follow.

     

     I can only use this in my onboard auth - but its not a recommended flow?

     

     Where would be the logical place to verify if the asset is compliant (with cylance) before allow connection? Wouldnt that be on the radius auth? 



  • 5.  RE: Cylance - Onboarding - Multiple auth source?

    EMPLOYEE
    Posted Dec 03, 2019 10:33 PM

    Yes, these integrations are typically used in an 802.1X service.

     



  • 6.  RE: Cylance - Onboarding - Multiple auth source?

    Posted Dec 03, 2019 10:43 PM

    Thanks - thats where I tried on my second attempt.

     

    However, I get HTTP attribute query returned error=404 errors.

     

    2019-12-04 11:26:38,792[RequestHandler-1-0x7f248f5fa700 r=R0002bebc-01-5de70b4e h=4283947 c=R0002bebc-01-5de70b4e] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
    2019-12-04 11:26:38,793

    [HttpModule-ThreadPool-4-0x7f2519910700 r=R0002bebc-01-5de70b4e h=130] ERROR Http.HttpAutzSession - HTTP attribute query returned error=404



  • 7.  RE: Cylance - Onboarding - Multiple auth source?

    EMPLOYEE
    Posted Dec 04, 2019 10:05 AM

    404 usually means the endpoint wasn't found.