Security

Reply
Occasional Contributor II

Cylance - Onboarding - Multiple auth source?

Currently using AD as my authenication source for onboarding devices as a pre-requisite.

 

We also want to use the Cylance Intergration Clearpass Extension - ie. we want to ensure that Cylance is installed as a pre-requisite for processing onboarding.

 

However, the cylance integration guide mentions that it needs a seperate authentication source to used for this extension.

 

 Its not entirely clear - but should the cylance auth source be the authorisation element to my onboarding aruba application authentication service?

Occasional Contributor II

Re: Cylance - Onboarding - Multiple auth source?

Ok, I followed the cylance integration guide - but it omits the details regarding where to link it with your services.

 

If I try to use it as the authorization source on my Onboarding Aruba Application Auth - it fails with;

 

2019-12-04 11:44:10,651[RequestHandler-1-0x7f248f5fa700 r=W00000017-01-5de70f6a h=4287929 c=W00000017-01-5de70f6a] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
2019-12-04 11:44:10,663[HttpModule-ThreadPool-20-0x7f250d2d2700 r=W00000017-01-5de70f6a h=146] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =?macAddress=%{Connection:Client-Mac-Address-Hyphen}, error=No values for param=Connection:Client-Mac-Address-Hyphen
2019-12-04 11:44:10,663[HttpModule-ThreadPool-20-0x7f250d2d2700 r=W00000017-01-5de70f6a h=146] ERROR Http.HttpAutzSession - queryAutzAttributes: Failed to construct path from ?macAddress=%{Connection:Client-Mac-Address-Hyphen}
2019-12-04 11:44:10,663[HttpModule-ThreadPool-20-0x7f250d2d2700 r=W00000017-01-5de70f6a h=146] ERROR Http.HttpAutzSession - Failed to get value for attributes=Host Name, Is Found, OS Version]
2019-12-04 11:44:10,664[RequestHandler-1-0x7f248f5fa700 h=4287931 c=W00000017-01-5de70f6a] INFO Core.PETaskRoleMapping - Roles: Other], User Authenticated]

If I try to use it as the authorization source on my Radius authenication I get the error;

 

2019-12-04 11:26:38,792[RequestHandler-1-0x7f248f5fa700 r=R0002bebc-01-5de70b4e h=4283947 c=R0002bebc-01-5de70b4e] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
2019-12-04 11:26:38,793

[HttpModule-ThreadPool-4-0x7f2519910700 r=R0002bebc-01-5de70b4e h=130] ERROR Http.HttpAutzSession - HTTP attribute query returned error=404

 

I've enabled DEBUG logging in the extension, but nothing is generated in the logging;

[2019-12-03T13:38:31.210] [INFO] cylance - SSL Verification Enabled. (Config: "verifySSLCerts": true)
[2019-12-03T13:38:31.220] [INFO] cylance - Server listening on port 80
[2019-12-04T09:46:55.388] [DEBUG] cylance - Settings:
[2019-12-04T09:46:55.393] [DEBUG] cylance - {
"logLevel": "DEBUG",
"verifySSLCerts": true,
"cylanceSubDomain": "protectapi",
"cylanceTenantId": "*****",
"cylanceApplicationId": "*****",
"cylanceApplicationSecret": "**********",
"enableEndpointCache": false,
"cppmUserName": "<<ClearPass User Name>>",
"cppmPassword": "**********",
"enableEndpointFullSync": false,
"endpointSyncDelayMinutes": 10080,
"includeThreatSummary": false,
"fullSyncOnStart": false
}
[2019-12-04T09:46:55.394] [INFO] cylance - SSL Verification Enabled. (Config: "verifySSLCerts": true)
[2019-12-04T09:46:55.394] [DEBUG] cylance - The API Url for CPPM is https://172.17.0.1/api.
[2019-12-04T09:46:55.400] [INFO] cylance - Server listening on port 80

 

Anyone successfully implemented this?

Guru Elite

Re: Cylance - Onboarding - Multiple auth source?

You'd only be able to use it in your Onboard Authorization service.

 

This type of flow isn't really recommended. If the devices are already under management, you shouldn't use Onboard Assisted Provisioning. OAP is designed for unmanaged devices.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Cylance - Onboarding - Multiple auth source?

Hi Tim,

 

 Thanks for the info - although I'm not sure I follow.

 

 I can only use this in my onboard auth - but its not a recommended flow?

 

 Where would be the logical place to verify if the asset is compliant (with cylance) before allow connection? Wouldnt that be on the radius auth? 

Guru Elite

Re: Cylance - Onboarding - Multiple auth source?

Yes, these integrations are typically used in an 802.1X service.

 


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Cylance - Onboarding - Multiple auth source?

Thanks - thats where I tried on my second attempt.

 

However, I get HTTP attribute query returned error=404 errors.

 

2019-12-04 11:26:38,792[RequestHandler-1-0x7f248f5fa700 r=R0002bebc-01-5de70b4e h=4283947 c=R0002bebc-01-5de70b4e] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
2019-12-04 11:26:38,793

[HttpModule-ThreadPool-4-0x7f2519910700 r=R0002bebc-01-5de70b4e h=130] ERROR Http.HttpAutzSession - HTTP attribute query returned error=404

Guru Elite

Re: Cylance - Onboarding - Multiple auth source?

404 usually means the endpoint wasn't found.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: