Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Rapid Updates and Endpoint Repository Caching Issue?

This thread has been viewed 9 times

  • 1.  Rapid Updates and Endpoint Repository Caching Issue?

    Posted Jun 18, 2016 11:29 AM

    Environment:  ClearPass 6.5.x appliances ; EfficientIP (IPAM) Appliances ; Ruckus CloudPath for onboarding.

     

    Scenario:  

    We encourage users who have never used our network before to connect to the WPI-Wireless-Setup SSID.  In the background this creates a CPPM EndPoint for the device - it sets a default IPAM-AdminStatus attribute to Unknown.  

     

    The user is herded to the CloudPath server which does all the certificate providioning and device configuring for our EAP-TLS network.  At the same time, CloudPath sends a URL request to EfficientIP.

     

    EfficientIP takes this URL request and creates an entry in our IPAM.  EfficientIP marks the entry as IPM-AdminStatus OK.  This triggers a rule which accesses the CPPM EndPoint database via the XML-RPC API and changes the IPAM-AdminStatus from Unknown to OK.

     

    CloudPath has now finished and has the device disconnect from the WPI-Wireless-Setup ssid and connect to WPI-Wireless.  When the device connects, ClearPass runs through an "Aruba 802.1X Wireless" service.  The Enforcement "Use Cached Results" is disabled.  One thing this service does is check the value of IPAM-AdminStatus and either returns a VLAN of QuickReg (which for us means that the device is unknown) or returns no VLAN and relies on the default VLAN of the SSID as set on the controller.

     

    Issue:

    This process works flawlessly *if* the transition from WPI-Wireless-Setup to WPI-Wireless is more than 5 minutes.

     

    If the transition takes seconds (like it's supposed to), CPPM believes that the IPAM-AdminStatus value is still Unknown and puts the device on the QuickReg VLAN.

     

    Solution?

    We believe that this is due to the Cache Timeout on the Endpoint Repository.  A similar problem was reported in http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Authorization-Attributes-and-Policy-Evaluation-Cache/td-p/252031

    Questions:

    a) What is the risk of lowering the Cache Timeout on the Endpoint Repository?  How low can it be?  How low *should* it be?

    b) Is there an API call (XML-RPC, SOAP or REST) which will clear the Cache for a single Endpoint?  This could be applied to our EfficientIP to ClearPass integration to ensure that the most up to date information is available to the CPPM Service.

    c) Is there another caching mechanism we should be looking at reducing to solve this issue?

     

    Thanks!