Infoblox Exchange Cybersecurity Roadshow 2020 – Join us!
North America | Europe | Middle East/Africa | Asia-Pacific

HPE Aruba

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
[ Edited ]
Moderator
Posts: 68
Registered: ‎06-21-2017
Moderator kzettel
Moderator
Posts: 67

Hello,

 

Infoblox and Aruba ClearPass: Securing Network Access Control

From IoT to an always-on mobile workforce, organizations face increasingly complex IT infrastructures that are more exposed to attacks than ever before. By combining Infoblox’s DNS security and network visibility with Aruba’s control on the network, users can automate their network.

 

  • Visibility, Control, Response:

Malicious insiders and IoT-based attacks continue to grow, bypassing your perimeter security defenses. With Infoblox and Aruba integration you are able to automate the defense.

 

  • Certified secure. The best defense for wired and wireless connections:

Malware have become increasingly intelligent, using the DNS in over 90% of its campaigns. With Infoblox and Aruba integration you are more protected then ever from DNS attacks and data exfiltration via DNS.

 

  • Identify what’s on your multi-vendor wired and wireless network:

Automatic population of your Aruba ClearPass endpoints list with Mac address’s that are found by Infoblox so that you can see every network asset with unmatched clarity, context, and insight.

 

The integration was developed in collaboration with HPE Aruba.

 

In the attached documents you will find the templates for the Aruba ClearPass integration in PDF and txt format. The templates are provided “as-is” and should be tested in your lab environment and modified as needed before implementing them into production.

 

The templates require extensible attributes described in the table below. It is recommended to inherit attributes with the default values from the network view level.

 

Extensible Attributes

Description

Aruba_LastSecurityEvent

Provides the last time a security event was sent to Aruba ClearPass.

Aruba_Location

Custom field. Determines the location field or the Aruba ClearPass endpoint upon creation.

Aruba_Secure

True or False. Defines if security attributes should be updated/added to an endpoint.

Aruba_Sync

True or False. Defines if an asset should be added to Aruba ClearPass.

Aruba_SyncedAt

Provides the last time an asset was added/modified on Aruba ClearPass.

 

Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Member
Posts: 9
Registered: ‎09-30-2019
Posts: 9

Hi,

 

Does anyone get this working at all ?

 

>I have have built a grid with NIOS within it

> Configured the API username within clearpass and applied the token into the respective areas within Infoblox (Session and outbound endpoint)

 

The only thing I get from is a communication query from Infoblox and nothing sent which would indicate a write action

 

Any help would appreciated ! 

Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Adviser
Posts: 154
Registered: ‎09-09-2015
Adviser
Posts: 136

It does work in our lab. 

If you can provide a debug log (you need to turn on debugging) I'll take a look. Please do not forget to ananymize private information like IPs, usernames.

 

 

Vadim

Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Member
Posts: 9
Registered: ‎09-30-2019
Posts: 9

Hi,

 

Thanks for the reply !

 

Just to confirm the version of clearpass I am running is 6.8 

 

Here is the log (attached cppm) from clearpass it shows communication from the Infoblox appliance but this is only a communcation and not a write command (the write command is ID 201)

 

Also attached is the log confirming that the host has been made in IPAM but it never reaches clearpass ?

 

 

Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Adviser
Posts: 154
Registered: ‎09-09-2015
Adviser
Posts: 136

Please attach the endpoint debug log from Infoblox. You need to click on the action button next to the Aruba Endpoint and download the log.

You may clear the log before doing a test to reduce the file size.

Don't forget to set "Log Level" to "Debug" on the endpoint.

 

Vadim

Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Member
Posts: 9
Registered: ‎09-30-2019
Posts: 9

Hi,

 

Please find attached the debug logs

Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Adviser
Posts: 154
Registered: ‎09-09-2015
Adviser
Posts: 136

Here is the error:

 

[2019/10/17 13:09:49.711964] infoblox.localdomain (DEBUG): Sending a 'GET' request within connection: protocol='https', host='xx.xx0.199', port='443', path='/wapi/v2.7/discovery:device?address=xx.xx.xxx.111&_return_fields=name,description,os_version,chassis_serial_number,model,ms_ad_user_data,type,vendor,interfaces', headers={'Content-Type': 'application/json', 'Cookie': '[*********]', 'Accept': 'application/json', 'Authorization': '[*********]'}, body='(no body)'.
[2019/10/17 13:09:49.712043] infoblox.localdomain (DEBUG): Request timeout is 30
[2019/10/17 13:10:19.828025] infoblox.localdomain (ERROR): Socket error during communication with external server: The read operation timed out
[2019/10/17 13:10:19.849726] infoblox.localdomain (DEBUG): Request execution failed. retry

Are you running it on GMC? Can GMC communicate with GM via 443/tcp (https)? 

 

Vadim

Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Member
Posts: 9
Registered: ‎09-30-2019
Posts: 9

Sorry I am unsure what  GMC is 

 

My envrioment is a GM with another appliance installed (to provide the network discovery) 

 

They both both installed on my esxi and there is nothing blocking any traffic with that ?

 

Many thanks for your help on this

Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Adviser
Posts: 154
Registered: ‎09-09-2015
Adviser
Posts: 136

GMC - Grid Master Candidate.

 

In the previous post I've quoted the error. The template can not connect to your GM, the request is timed out. Which is not really expected. 

Did you provision WAPI credentials? 

 

Vadim

Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Member
Posts: 9
Registered: ‎09-30-2019
Posts: 9

Hi,

 

The WAPI crednetials I am using are the admin superuser credentials

 

I have verified also that the API allowed has been enabled within the role 

 

Many Thanks 

Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Member
Posts: 9
Registered: ‎09-30-2019
Posts: 9

Hi,

 

The issue is now resolved

 

From looking at the debug I forgot to set the attribute 'Aruba sync' to true !

 

 

Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Member
Posts: 9
Registered: ‎09-30-2019
Posts: 9

Hi,

 

Just wondering if there is a way of adding the mac address with attiributes from infoblox to clearpass without having the need to add an IP address to it ?

 

Many Thanks as always ! 

 

 

Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Moderator
Posts: 68
Registered: ‎06-21-2017
Moderator kzettel
Moderator
Posts: 67

Hello allied_assult,

 

you would need to modify the templates. So of course this is 100% possible with minor modifications.

 

hope this helps,

 

Kevin Zettel

Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Member
Posts: 9
Registered: ‎09-30-2019
Posts: 9

Hi kzettel,

 

Many Thanks for your quick repsponce

 

Within our enviroment we are using the templates which are all still left as 'default' and currently working 

 

Could you point out which template would require changing so we would only need to add the mac address in order send it to clearpass via the API ?

 

Many Thanks for your help !

 

 

Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Moderator
Posts: 68
Registered: ‎06-21-2017
Moderator kzettel
Moderator
Posts: 67

Hello,

 

technicaly all of them... they shouldn't need to send the IP address for it to work so deleting the sending of the IP address on the POST/PUT steps should suffice.

 

It's a simple deletion of a few lines and you wont see the IP on the Aruba Clearpass anymore.

 

If you are worried about causing errors you can also just delete the input value but leave the "tag"(don't remeber what Aruba calls them) so that they are just empty "".

 

hope this helps,

Kevin Zettel

Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Member
Posts: 9
Registered: ‎09-30-2019
Posts: 9

Hi Kevin,

 

from just adding a mac address into the Infoblox it always requires to add an IP address within the fields on the 'add host' section

 

From this point the templates from the API are not even touched ?

 

Many Thanks

 

 

Highlighted
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Moderator
Posts: 68
Registered: ‎06-21-2017
Moderator kzettel
Moderator
Posts: 67

Hello,

 

I don't really understand your quesiton? not sure what you mean by "add host" section.

 

IP's must always be added to Infoblox as it is a DDI appliance. DDI requires a IP address.

 

however Aruba ClearPass requires only a MAC address, this is because it is a a NAC appliance.

 

As such:

1. when an asset on Infoblox is added or updated, the information (which includes the MAC and IP) will be sent to Aruba. 

 

2. Aruba recieves all the informaiton (MAC+IP address). However Aruba only needs the MAC address.

 

3. you may remove the information from the Infoblox Ecosystem template that removes the IP address informaiton.

 

4. you must add an IP address when adding assets to Infolbox, so removing the IP address when adding a host (or anything else) to Infoblox isn't possible.

 

hope this helps,

 

Kevin Zettel

Showing results for 
Search instead for 
Do you mean