Security

Hi community,

 

Here's my situation: I have configured SSO onboarding with Microsoft Azure. During onboard, each user's endpoint has been populated with attributes (including department, job title, email, etc.) that can be used for authorization. As a result, I have 2 authorization sources in total: Azure AD and Endpoint Repository on CPPM.

 

I'm using Azure as the main authorization source, and everything works fine. But due to the nature of Azure that is based on cloud which can become vulnerable to Internet connectivity problems, I would like to configure CPPM to fallback to local authorization (endpoint repository) in that case.

 

I've tested this by configuring endpoint repository as the second authentication/authorization source in 802.1X service, then configure the firewall to silently drop packets to Azure server, which I think will trigger CPPM to fallback to local authorization. But the result is that I simply cannot connect to 802.1X SSID. There's even no log on CPPM.

 

Am I missing something? Or it's just because this feature is not currently supported on CPPM?

 

Thank you,

 

 

If you're using certificates with Azure Active Directory, there should be no dependency on an internet connection.

Hi Tim,

 

Yes, I'm using EAP-TLS and I understand that the authentication process is happening over local database on CPPM, so there should be no dependency on Internet connection for 802.1X authentication. But the authorization phase is using Azure cloud as its source, and that's the reason I'd like to use endpoint repository as a backup for Azure. Is this possible?

 

Thank you,

Guess I’m not understanding how you’re using AAD as an authorization as there is no way to do that today.

Regarding authorization, you’d have to write additional rules that use other authorization sources.

Hi,

 

I'm just defining a new authentication source of type AD that point to the public address of Azure, and specify other information such as Bind DN, Bind Password, etc. as you would do to define a normal authentication source (the connection type is AD over SSL). It works completely fine.

 

Back to my question, do you mean I have to define endpoint repository alongside Azure AD in the 802.1X service?

 

Thank you,

Hm. Azure Active Directory is not an LDAP-compliant directory and thus does not have an LDAP interface. Sounds like you’re running either AAD DS or a domain controller in Azure compute, neither of which are officially supported.

Yes, you’d need to write additional rules that reference the additional data.

Hi Tim,

 

As mentioned in my first post, I've tried writing additional rules and tested it (by configuring firewall rules to drop LDAP traffic to Azure server) but with no success. Below was my configuration on CPPM, which used both Azure and Endpoint Repository as authentication/authorization source:

 

 

I'm not sure if my configuration was as you meant. Have you tested this fallback feature before with positive result?

 

Thank you,

You can't have any authentication sources defined. You can only handle this in authorization.

 As I've mentioned, this is not a supported deployment.

Hi Tim,

 

I'm still confused. Can you clarify this statement: "You can't have any authentication sources defined. You can only handle this in authorization."? Do you mean I should not add Endpoint Repository in the authentication source?

 

Thank you,