Security

Hi,

I've got a number of devices using eap-tls to authenticate to our network. I'd like to use the clearpass (6.6.8) API to extract the client mac address ( endpoints mac address) using the cert CN as a filter.

e.g. for information displays on campus, we generate a 

Cert with CN=info-display-abcd. 

Looking in Policy Manager/Access-Tracker you can see the username=CN=info...... 

Is this doable? 

Anyone got an example ?

Rgds

Alex

I'd like to access either the  Policy Manager/  Access Tracker  info ... or possibly insight  info, 

The theory is 

1). User configures eap-tls on client using the Cloudpath onboarding system

2). Cloudpath writes some info about the confoiguration process  into a postgresql database

3). Client authenticates to wifi/wired against our clearpass server

4). At some point a php app reads database and extracts cert CN attribute

==== Hopefully this bit is where the magic happens ====

5). php performs API call to clearpass to get client  mac address from clearpass. Don't care wher its from, policy-manager / access-tracker or insight which ever is possible.

6). php app writes info into endpoints db /<macaddress> entry 

We've created a batch of local attributes which save client specific info in endpoints

A

Access tracker logs are not available via the API. Regarding your endpoint question, yes you can add any information that you like to an endpoint via the REST API.

I'm struggling to understand the overall goal here. Why not just use the external database as an authorization source instead of having static data in two places?

>Access tracker logs are not available via the API. Regarding your >endpoint question, yes you can add any information that you like to an >endpoint via the REST API.

That's a shame, and yes I know you can ad stuff, I'm doing it now.What about insight, can we query that to get the client mac address from the CN used in an auth ?

>I'm struggling to understand the overall goal here. Why not just use the >external database as an authorization source instead of having static >data in two places?

Because we're trying to get clearpass as independent of 3rd party "stuff" as possible. We use 3rd party auth sources at the moment. A few months ago we had an issue with an external db that failed and caused clearpass to block auth requests  and send back access-rejects. Just making sure that it doesn't happen again.

We have an IPAM system that's going to use the API interface to assign numeric vlan numbers to specific mac addresses  ( local attribnute UoY_VLAN, which we then send back in access-accept packet)  and I'm trying to  populate some other locally defined attributes to implement a very very basic asset system ( Basically when someone configures a device to use eap-tls, information display, door entry system etc we want  the endpoints db to have locall attributes to say somethig of the form " This cert was installed on this mac address and its in this building on this floor in this room").

The onboard system only has access to the client mac address if you use their installation app. If you use a .mobileconfig file ( which we do for macos/ios) then we don;t have the mac address. I'm therefore trying to jump through hoops to get hold of the client mac address by other means. Thought I could use the API to get hold of info from clearpasss

bit of a lengthy topic to discuss in a post