Security

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 30, 2024 03:21 AM
From: Ha Tran
Subject: ClearPass Policy Manager integrate with Checkpoint Firewall

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Original Message:
Sent: May 30, 2024 02:50 AM
From: Herman Robers
Subject: ClearPass Policy Manager integrate with Checkpoint Firewall

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 29, 2024 10:29 PM
From: Ha Tran
Subject: ClearPass Policy Manager integrate with Checkpoint Firewall

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

update for my issue, Currently, we have resolved the issue for ClearPass to automatically send an API to Checkpoint. However, we are encountering an issue with the content that ClearPass sends. ClearPass is unable to retrieve the IP address value of the endpoint to include in the content, as shown in the Wireshark message below.

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks! 

ClearPass will need to know/learn the client IP address through (RADIUS) Accounting. Do you see in Access Tracker an Accounting tab? Does it show the client's IP address there?

RADIUS Accounting needs to be enabled on your switch/ap/controller;

In ClearPass make sure that 'Log Interim-Accounting' is enabled as well to process accounting updates and not only the start-stop.

If you see %{ip} that means that there is no IP information for that client.

update for my issue, Currently, we have resolved the issue for ClearPass to automatically send an API to Checkpoint. However, we are encountering an issue with the content that ClearPass sends. ClearPass is unable to retrieve the IP address value of the endpoint to include in the content, as shown in the Wireshark message below.

I'm unsure if this integration works with just onguard, it normally is based on network authentication (802.1X or MAC-AUTH) and accounting information.

As this is a quite uncommon deployment, you may check with Aruba TAC if they know if this may work.

Hi Herman, tk for your reply, for your questions: 

Do you have accounting setup and working, including 'log interim accounting'? - Nope. We dont have AD Server so we only used LDAP Server for Authenticate user Login to OnGuard Agent. So now, as your questions, we must configure Accounting for CPPM system, right ? 

Do you have accounting setup and working, including 'log interim accounting'?

Do you see the Client IP address in Access Tracker under accounting?

ClearPass Policy Manager issues when integrate with CheckPoint Firewall via Identity Awareness

Step Configuration in ClearPass

Create Endpoint Context Server and Target to Checkpoint gateway

Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

Created HTTP based enforcement profile with necessary attributes:

Linked this enforcement profile as action in our web auth policy:

Then I tried to login user at OnGuard Agent and check log at Access Tracker, result:

But NO identity awareness log sent to Checkpoint, I was check in Log collected from server but no send request from ClearPass

Postauthctrl.log

Am I missing some steps? How can I debug this part?

Then i tried to replace Content tab like this 

Then i tried to force send api at Access Tracker --> Server Actions but got Error: 500 Internal Error 

How can ClearPass detect ip-address of User to send to Checkpoint ? Kindly help me to debug thanks!