Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jason_Carrillo
Collaborator

Aruba Clear Pass Integration - API

We are trying to leverage the R80.10 web API to integrate our Check Point gateways with Aruba Clear Pass. We are having a heckuva time getting it to work reliably, which is kind of maddening because you would think a POST from a server to the gateway would be the most efficient and reliable way to achieve this over AD Query and RADIUS Accounting. 

What we are seeing is the Aruba server failing to send the POST messages to the gateways in a reliable manner. We've turned off IPv6, we've turned off machine authentication, and it still doesn't work right. It will work sometimes, then other times just fail altogether. 

If you have had luck with this integration and wouldn't mind sharing some tips, places to look, or troubleshooting steps, it would be much appreciated. We have tickets open with Aruba TAC and their engineering team, but they seem as confused as we are. 

Thanks!

25 Replies
Andrew_Neve
Explorer

Have a look at sk104958 in Checkpoint Partner Map and the link within it to the 3rd party Aruba document

ClearPass 6.5

Tech Note: ClearPass

Integration with 3rd Party Enforcement Points

ClearPass & Checkpoint utilizing RESTful

API and RADIUS Accounting

0 Kudos
Jason_Carrillo
Collaborator

Thanks Andrew. We've reviewed that document thoroughly, it was helpful getting it set up initially, but there are other issues we are seeing since implementation.

It doesn't help that it is a few years old and there aren't current documents for R80.10.

Sent from my MetroPCS 4G LTE Android device

Jason_Carrillo
Collaborator

We've actually heard back from Aruba on this, and the process that sends the API POST message from Clear Pass to the firewall is unreliable, and we aren't the first customer to have issues with it. They are working on a fix for this at the "highest levels of engineering". 

In the interim we've moved to using the RADIUS accounting feature and passing roles to the firewall using the "Connect-Info" attribute. So far so good, but there are some challenges if you want the Clear Pass side to send roles via RADIUS accounting.  Identity Awareness R80.10 Administration Guide 

Now I just have to find a way to add a bunch of user groups to the firewall because it seems like when Check Point designed the API they didn't put in a hook for that kind of group creation. 

I'll update this when I hear back from Aruba about a fix. 

Marc_Guyard
Employee Alumnus
Employee Alumnus

Hi Jason,

i working on a PoC with ClearPass and API integration work.

but native api path include in clearpass are false. You need to change url in clearpass configuration.

for example, to add identity in Check Point, ClearPass need to use this URL : https://<Gateway_IP_or_FQDN>/_IA_API/v1.0/add-identity

it’s not the case by default.

all urls are in IA R80.10 Admi Guide

0 Kudos
Jason_Carrillo
Collaborator

I have an update to this. We are still using the RADIUS Accounting feature and have a new fun issue with this feature. We are getting users who log in to wireless, all the information is forwarded to the firewall as expected. Then, for some reason, the Clear Pass server will send another RADIUS Accounting message with no information, which overwrites the old entry for that user and removes their rights/roles/groups. Neat! Another ticket for Aruba...

Pedro_Fernandes
Participant

Hello,
Does anyone find an updated documentation with R80.10 or R80.20 for the Aruba Clearpass integration?

I'm looking for a way to create a network access rule using the operating system or host type records that I can find in the event logs. Is this anyway possible?

0 Kudos
Danny_Jump
Explorer

The new Integration Guide will be posted by early next week on the Aruba Support site.

Jason_Carrillo
Collaborator

At this point, if you don't have to attempt to integrate with the Aruba Clear Pass system, you should probably avoid it. We attempted to use the API early on and had all kinds of issues that Aruba couldn't explain. They went back to the drawing board, and we settled Radius Accounting, after building out a bunch of backend, Active Directory group stuff, with the promise that the API would be fixed and updated.

Radius Accounting was great, up until you need Clear Pass to send updates to the firewall in a timely manner. We see 5 to 20 minute delays between user log in and the messages being sent by the Aruba side.

Months waiting, new code provided, still seeing same weirdness with the API, and an inability to explain why Clear Pass is doing what it is doing. 

In my opinion, Clear Pass integration via API or Radius Accounting on a large network is half-baked at best. Because the integration piece is just so broken right now, we are going to have to crack open our firewall rules and do enforcement on the Aruba side...So goodbye to my easy to understand, troubleshoot and log Check Point rules I think.

0 Kudos
PhoneBoy
Admin
Admin

Is it because of issues with Aruba, Check Point issues, or both?

0 Kudos
Jason_Carrillo
Collaborator

The issue is with Aruba because it comes down to two things: either a delay in notification sent to the firewall with Radius Accounting or with API there is an issue with extraneous logout events being sent to the Rest API caused by the machine authentication.

One thing that Check Point could do to save Aruba from itself is to provide a User field in the delete-identity API call. Basically we see the Aruba side sending simultaneous add-identity calls for the user name along with delete-identity calls for the machine "user" name. This is causing our entry in the firewall to show a log in and then an immediate log out because the delete-identity call is only based on IP address.

0 Kudos
PhoneBoy
Admin
Admin

That sounds like a potential RFE.

Royi Priov

Jason_Carrillo
Collaborator

True, but then again Aruba should be able to distinguish a Domain computer user account login from a human user account login and not stomp all over the necessary API calls...

0 Kudos
Royi_Priov
Employee
Employee

Hi Jason Carrillo‌,

First, I'm sorry to hear that the Aruba integration is not working as expected. I can understand that the issues are falling on Aruba side, but in case Identity Awareness R&D should be involved you are welcome to update me.

Second, as for the delete messages, we are not requesting for the username by default and indeed adding this is possible with RFE.

Thanks,

Royi.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity
0 Kudos
Benjamin_Lamber
Participant

Hi Jason,

I'm very glad I found this thread as it may have saved me a ton of time!

What version of ClearPass are you running? I'm curious if they've updated any of it as I'm still running 6.6.x with plans to update to 6.7.

Thanks,

--Ben

0 Kudos
Jason_Carrillo
Collaborator

6.7.8 currently, but we've had this problem since the pilot. Not sure of the version at that time, may have been 6.5.x

0 Kudos
Jason_Carrillo
Collaborator

We've been working closely with Aruba TAC on this and they've made a fix that is functional. It is a code modification that is going to end up in the next patch.

Clear Pass is still sending logouts when it shouldn't and not sending log outs when it should, but because they 'fixed' the sequence of events the test users seem be having improved performance. We are considering abandoning the logouts entirely in lieu of Check Point enforcing one user per IP. It's not what we were sold but it will work.

We have started playing around with the Identity Collector, and I have to say, I am impressed so far. We have one IDC hitting 16 AD controllers pushing to one firewall now. It consistently beats Aruba Clear Pass authentication notifications by 20-40 seconds.

0 Kudos
Royi_Priov
Employee
Employee

Hi Jason Carrillo,

I want to get more details about this issue. I was asked by Aruba R&D as well.

Can you give me Aruba / CheckPoint ticket number?

Jason Carrillo wrote:

We've been working closely with Aruba TAC on this and they've made a fix that is functional. It is a code modification that is going to end up in the next patch.

 

Clear Pass is still sending logouts when it shouldn't and not sending log outs when it should, but because they 'fixed' the sequence of events the test users seem be having improved performance. We are considering abandoning the logouts entirely in lieu of Check Point enforcing one user per IP. It's not what we were sold but it will work.

 

We have started playing around with the Identity Collector, and I have to say, I am impressed so far. We have one IDC hitting 16 AD controllers pushing to one firewall now. It consistently beats Aruba Clear Pass authentication notifications by 20-40 seconds.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity
0 Kudos
Jason_Carrillo
Collaborator

5335604614  API Troubleshooting
5328368971 Delayed RADIUS Accounting messages

0 Kudos
Royi_Priov
Employee
Employee

Jason Carrillo wrote:

5335604614  API Troubleshooting
5328368971 Delayed RADIUS Accounting messages

Thanks.

I'm checking it offline with Aruba R&D.

Royi Priov.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity
0 Kudos
Prachachart_Sta
Employee
Employee

Hi Jason,

        As the code modification that makes your impress. Can I ask you that you still working integration with Clearpass by RADIUS Accounting or RESTful API for now? 

       Thanks.

Prachachart.S

0 Kudos
Jason_Carrillo
Collaborator

The code from Aruba doesn't impress me. Based on the PDP debug on the Check Point side, it is still sending log outs when it shouldn't, and doesn't reliably send log outs when the user log outs. I am impressed with the Check Point Identity Collector. Even after a few weeks it is still beating Aruba to the punch.

We are still having problems with RADIUS Accounting and have a ticket open.

Right now we are considering turning off logouts completely since we can't rely on Aruba to send those when it should.

0 Kudos
Kevin_Zeitler
Contributor

Jason,

Have you made it any further with Aruba?  I am seeing the same issue with Aruba sending back a logout immediately after machine authentication takes place.  You mentioned disabling logouts where do you see that option?

0 Kudos
Jason_Carrillo
Collaborator

Hey Kevin, sorry for the delayed response.

We are currently using the latest code for Clear Pass and the API piece is working as expected and consistently. We are still using logouts as part of our solution, but we are still considering turning it off as it is causing some issues with folks using Docker VMs.
0 Kudos
Jason_Carrillo
Collaborator

Currently running Clear Pass Policy Manager 6.7.9.109195 we are having success with the API post authentication module. The updates Aruba made have gotten us to where we need to be and are setting up our wireless clients up to use the API post authentication module. Radius Accounting still struggles though to consistently send authentication to the firewall, but we don't need it because the API is working well.

We still only have about 400 users whose auths are reported to the firewall via API, but we are working to get its usage expanded.

Piotr_Czura
Explorer

Hi, can you please share your JSON code which is sent to CHP? We have a problem with the variables in the code. It works fine on the hard-set address and username, but after setting these values as variables, we get an error message when sending a state change

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events