Security

Reply
Frequent Contributor II

Fallback to local repository authentication on CPPM

Hi community,

 

Here's my situation: I have configured SSO onboarding with Microsoft Azure. During onboard, each user's endpoint has been populated with attributes (including department, job title, email, etc.) that can be used for authorization. As a result, I have 2 authorization sources in total: Azure AD and Endpoint Repository on CPPM.

 

I'm using Azure as the main authorization source, and everything works fine. But due to the nature of Azure that is based on cloud which can become vulnerable to Internet connectivity problems, I would like to configure CPPM to fallback to local authorization (endpoint repository) in that case.

 

I've tested this by configuring endpoint repository as the second authentication/authorization source in 802.1X service, then configure the firewall to silently drop packets to Azure server, which I think will trigger CPPM to fallback to local authorization. But the result is that I simply cannot connect to 802.1X SSID. There's even no log on CPPM.

 

Am I missing something? Or it's just because this feature is not currently supported on CPPM?

 

Thank you,

 

 

Guru Elite

Re: Fallback to local repository authentication on CPPM

If you're using certificates with Azure Active Directory, there should be no dependency on an internet connection.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor II

Re: Fallback to local repository authentication on CPPM

Hi Tim,

 

Yes, I'm using EAP-TLS and I understand that the authentication process is happening over local database on CPPM, so there should be no dependency on Internet connection for 802.1X authentication. But the authorization phase is using Azure cloud as its source, and that's the reason I'd like to use endpoint repository as a backup for Azure. Is this possible?

 

Thank you,

Guru Elite

Re: Fallback to local repository authentication on CPPM

Guess I’m not understanding how you’re using AAD as an authorization as there is no way to do that today.

Regarding authorization, you’d have to write additional rules that use other authorization sources.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor II

Re: Fallback to local repository authentication on CPPM

Hi,

 

I'm just defining a new authentication source of type AD that point to the public address of Azure, and specify other information such as Bind DN, Bind Password, etc. as you would do to define a normal authentication source (the connection type is AD over SSL). It works completely fine.

 

Back to my question, do you mean I have to define endpoint repository alongside Azure AD in the 802.1X service?

 

Thank you,

Guru Elite

Re: Fallback to local repository authentication on CPPM

Hm. Azure Active Directory is not an LDAP-compliant directory and thus does not have an LDAP interface. Sounds like you’re running either AAD DS or a domain controller in Azure compute, neither of which are officially supported.

Yes, you’d need to write additional rules that reference the additional data.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor II

Re: Fallback to local repository authentication on CPPM

Hi Tim,

 

As mentioned in my first post, I've tried writing additional rules and tested it (by configuring firewall rules to drop LDAP traffic to Azure server) but with no success. Below was my configuration on CPPM, which used both Azure and Endpoint Repository as authentication/authorization source:

 

1.PNG

2.PNG

3.PNG

4.PNG

 

I'm not sure if my configuration was as you meant. Have you tested this fallback feature before with positive result?

 

Thank you,

Guru Elite

Re: Fallback to local repository authentication on CPPM

You can't have any authentication sources defined. You can only handle this in authorization.

 As I've mentioned, this is not a supported deployment.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor II

Re: Fallback to local repository authentication on CPPM

Hi Tim,

 

I'm still confused. Can you clarify this statement: "You can't have any authentication sources defined. You can only handle this in authorization."? Do you mean I should not add Endpoint Repository in the authentication source?

 

Thank you,

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: