- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
[ Edited ]Hello,
Infoblox and Aruba ClearPass: Securing Network Access Control
From IoT to an always-on mobile workforce, organizations face increasingly complex IT infrastructures that are more exposed to attacks than ever before. By combining Infoblox’s DNS security and network visibility with Aruba’s control on the network, users can automate their network.
- Visibility, Control, Response:
Malicious insiders and IoT-based attacks continue to grow, bypassing your perimeter security defenses. With Infoblox and Aruba integration you are able to automate the defense.
- Certified secure. The best defense for wired and wireless connections:
Malware have become increasingly intelligent, using the DNS in over 90% of its campaigns. With Infoblox and Aruba integration you are more protected then ever from DNS attacks and data exfiltration via DNS.
- Identify what’s on your multi-vendor wired and wireless network:
Automatic population of your Aruba ClearPass endpoints list with Mac address’s that are found by Infoblox so that you can see every network asset with unmatched clarity, context, and insight.
The integration was developed in collaboration with HPE Aruba.
In the attached documents you will find the templates for the Aruba ClearPass integration in PDF and txt format. The templates are provided “as-is” and should be tested in your lab environment and modified as needed before implementing them into production.
The templates require extensible attributes described in the table below. It is recommended to inherit attributes with the default values from the network view level.
Extensible Attributes |
Description |
Aruba_LastSecurityEvent |
Provides the last time a security event was sent to Aruba ClearPass. |
Aruba_Location |
Custom field. Determines the location field or the Aruba ClearPass endpoint upon creation. |
Aruba_Secure |
true or false. Defines if security attributes should be updated/added to an endpoint. |
Aruba_Sync |
True or False. Defines if an asset should be added to Aruba ClearPass. |
Aruba_SyncedAt |
Provides the last time an asset was added/modified on Aruba ClearPass. |
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
10-15-2019 09:55 AM
Hi,
Does anyone get this working at all ?
>I have have built a grid with NIOS within it
> Configured the API username within clearpass and applied the token into the respective areas within Infoblox (Session and outbound endpoint)
The only thing I get from is a communication query from Infoblox and nothing sent which would indicate a write action
Any help would appreciated !
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
It does work in our lab.
If you can provide a debug log (you need to turn on debugging) I'll take a look. Please do not forget to ananymize private information like IPs, usernames.
Vadim
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
10-16-2019 01:29 AM
Hi,
Thanks for the reply !
Just to confirm the version of clearpass I am running is 6.8
Here is the log (attached cppm) from clearpass it shows communication from the Infoblox appliance but this is only a communcation and not a write command (the write command is ID 201)
Also attached is the log confirming that the host has been made in IPAM but it never reaches clearpass ?
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Please attach the endpoint debug log from Infoblox. You need to click on the action button next to the Aruba Endpoint and download the log.
You may clear the log before doing a test to reduce the file size.
Don't forget to set "Log Level" to "Debug" on the endpoint.
Vadim
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
10-17-2019 05:54 AM
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Here is the error:
[2019/10/17 13:09:49.711964] infoblox.localdomain (DEBUG): Sending a 'GET' request within connection: protocol='https', host='xx.xx0.199', port='443', path='/wapi/v2.7/discovery:device?address=xx.xx.xxx.111&_return_fields=name,description,os_version,chassis_serial_number,model,ms_ad_user_data,type,vendor,interfaces', headers={'Content-Type': 'application/json', 'Cookie': '[*********]', 'Accept': 'application/json', 'Authorization': '[*********]'}, body='(no body)'. [2019/10/17 13:09:49.712043] infoblox.localdomain (DEBUG): Request timeout is 30 [2019/10/17 13:10:19.828025] infoblox.localdomain (ERROR): Socket error during communication with external server: The read operation timed out [2019/10/17 13:10:19.849726] infoblox.localdomain (DEBUG): Request execution failed. retry
Are you running it on GMC? Can GMC communicate with GM via 443/tcp (https)?
Vadim
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
10-17-2019 09:05 AM
Sorry I am unsure what GMC is
My envrioment is a GM with another appliance installed (to provide the network discovery)
They both both installed on my esxi and there is nothing blocking any traffic with that ?
Many thanks for your help on this
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
GMC - Grid Master Candidate.
In the previous post I've quoted the error. The template can not connect to your GM, the request is timed out. Which is not really expected.
Did you provision WAPI credentials?
Vadim
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
10-18-2019 01:30 AM
Hi,
The WAPI crednetials I am using are the admin superuser credentials
I have verified also that the API allowed has been enabled within the role
Many Thanks
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
10-18-2019 03:36 AM
Hi,
The issue is now resolved
From looking at the debug I forgot to set the attribute 'Aruba sync' to true !
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
11-12-2019 07:37 AM
Hi,
Just wondering if there is a way of adding the mac address with attiributes from infoblox to clearpass without having the need to add an IP address to it ?
Many Thanks as always !
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Hello allied_assult,
you would need to modify the templates. So of course this is 100% possible with minor modifications.
hope this helps,
Kevin Zettel
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
11-12-2019 07:51 AM
Hi kzettel,
Many Thanks for your quick repsponce
Within our enviroment we are using the templates which are all still left as 'default' and currently working
Could you point out which template would require changing so we would only need to add the mac address in order send it to clearpass via the API ?
Many Thanks for your help !
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Hello,
technicaly all of them... they shouldn't need to send the IP address for it to work so deleting the sending of the IP address on the POST/PUT steps should suffice.
It's a simple deletion of a few lines and you wont see the IP on the Aruba Clearpass anymore.
If you are worried about causing errors you can also just delete the input value but leave the "tag"(don't remeber what Aruba calls them) so that they are just empty "".
hope this helps,
Kevin Zettel
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
11-12-2019 08:21 AM
Hi Kevin,
from just adding a mac address into the Infoblox it always requires to add an IP address within the fields on the 'add host' section
From this point the templates from the API are not even touched ?
Many Thanks
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
Hello,
I don't really understand your quesiton? not sure what you mean by "add host" section.
IP's must always be added to Infoblox as it is a DDI appliance. DDI requires a IP address.
however Aruba ClearPass requires only a MAC address, this is because it is a a NAC appliance.
As such:
1. when an asset on Infoblox is added or updated, the information (which includes the MAC and IP) will be sent to Aruba.
2. Aruba recieves all the informaiton (MAC+IP address). However Aruba only needs the MAC address.
3. you may remove the information from the Infoblox Ecosystem template that removes the IP address informaiton.
4. you must add an IP address when adding assets to Infolbox, so removing the IP address when adding a host (or anything else) to Infoblox isn't possible.
hope this helps,
Kevin Zettel
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
As of May 1st, 2020, these templates now support the deletion of IPv4, and IPv6 Assets. These updated templates require NIOS 8.3 or higher. For more information please view the attached and updated version of the Deployment guide on Kevin's Original Post.
Re: INFOBLOX & ARUBA CLEARPASS INTEGRATION TEMPLATES, DEPLOYMENT GUIDE & DEMO VIDEO.
[ Edited ]Has the procedure changed much with version 8.4.8? I'm trying to set this up in a lab environment and can't seem to get this to work.
When looking in the ClearPass logs I can see that the GM does an API to get a bearer token, but after that nothing else happens. When I modify the template to only include the API call to ClearPass, it works, but obviously this doesn't contain any usefull info.
In the IB debug logs there are no errors that would indicate an issue.