Security

Reply
Highlighted
Moderator

Re: Infoblox as Auth Source for ClearPass?

Reading your ask, as I read this you want CPPM to authN the user then have CPPM tell Infoblox its OK to provide an IP address to the user we just authorized.. that piece is already in place.... CPPM as part of the authN will decide based upon the usual authZ context of the user/device combination which VLAN/ACL/dACL/Role is applied.

 

Do I miss something?


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
New Contributor

Re: Infoblox as Auth Source for ClearPass?

Hi,

I just explained again my issue. I mean that customer using actually Infoblox to insert all users entries in database (MAC/IP ADDRESS) necessary for firewall rules (based on IP address).

For each new user this action is realized.

But now we have CPPM for authentication 802.1x and mac-auth and we don't want insert 2 entries in each product.

We looking for a way to check and verify without create a static host list on CPPM in creating a connection to Infoblox (REST API/JSON) to check and verify information like MAC ADDRESS and if that match then you obtain your vland id and your IP ADDRESS.

 

For the moment nothing permit to resolve this issue, may be in future release.

 

Regards.

Guru Elite

Re: Infoblox as Auth Source for ClearPass?

Yes, as I mentioned, you will be able to do this in a future release.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Infoblox as Auth Source for ClearPass?

Hi Tim

Can you already release more information about the time schedule?

Will this feature relased by Q1 2018 already ?

Best regards

 

Guru Elite

Re: Infoblox as Auth Source for ClearPass?

Reach out to your Aruba account team.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Infoblox as Auth Source for ClearPass?

You can take a look on Outbound API feature which is available starting NIOS 8.0 but I'll recommmend to use NIOS 8.1 or latest NIOS 8.2.2.

Outbound API allows you to trigger a template execution (a json file which implements a workflow) by an event. The template can make REST API calls to 3rd party systems or send notifications over McAfee DXL/OpenDXL fabric.

Right now IPAM events (Add/Modify/Delete of Network, Range, Host, FixedIP/Reservation, Lease) and DNS Security (RPZ hit, Tunneling) are supported.

Vadim

Guru Elite

Re: Infoblox as Auth Source for ClearPass?

Here you go:

 

https://github.com/aruba/clearpass-exchange-snippets/tree/master/ipam/infoblox-authz


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Infoblox as Auth Source for ClearPass?

Hi,

Thank you Tim for your answer and your good job.

A real good explanation from your GIT Hub space.

However, we wanna checked also before authenticating user because we using mac auth on switch port, the mac address & IP address to affect the good vlan id.

We changed Authorization Mapping Rules to check attributes like Mac filter but also we want to check the beginning of IP address to determine after that the Vlan ID to affect on switch port.

Is it possible to affect Vlan ID from ClearPass if mac address and for example the beginning of the IP address exist on Infoblox ?

Do you have an idea to solve this issue ?

https://ipam.illinois.edu/wapidoc/objects/macfilteraddress.html

 

Thanks in advance.

Regards.

Guru Elite

Re: Infoblox as Auth Source for ClearPass?

I'm not fully understanding what you're trying to do, but any information from Infoblox available via the API and found with the MAC address record should be able to be used.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Infoblox as Auth Source for ClearPass?

Hi,

I'm sorry for my explanation, please find below captures of CPPM and the API Get request with attribute "mac" to use as authorization.

When user wants to connect on the network, I verify 802.1x certificate and check the availability of MAC address in Infoblox. After that I want to affect the good Vlan ID because all ports are in 802.1x in whole my network switch. Please tell me how is it possible to control mac address and also affect the good vlan id for fixed IP address in different subnet ?  

Thanks in advance.

mac-filter.jpgInfoblox-Auth-Source.jpgrole-mapping-rules.jpg

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: