insightscentos6.0

ClearPassIntegrationGuideClarotyClearPassandClaroty–IntegrationGuide2ChangeLogVersionDateModifiedByComments1.
0May2019ArpitBhattFirstPublishedVersion–Phase1CopyrightCopyright2019HewlettPackardEnterpriseDevelopmentLP.
OpenSourceCodeThisproductincludescodelicensedundertheGNUGeneralPublicLicense,theGNULesserGeneralPublicLicense,and/orcertainotheropensourcelicenses.
Acompletemachine-readablecopyofthesourcecodecorrespondingtosuchcodeisavailableuponrequest.
ThisofferisvalidtoanyoneinreceiptofthisinformationandshallexpirethreeyearsfollowingthedateofthefinaldistributionofthisproductversionbyHewlett-PackardCompany.
Toobtainsuchsourcecode,sendacheckormoneyorderintheamountofUS$10.
00to:Hewlett-PackardCompanyAttn:GeneralCounsel3000HanoverStreetPaloAlto,CA94304USAPleasespecifytheproductandversionforwhichyouarerequestingsourcecode.
YoumayalsorequestacopyofthissourcecodefreeofchargeatHPE-Aruba-gplquery@hpe.
com.
www.
arubanetworks.
com3333ScottBlvdSantaClara,CA95054Phone:1-800-WIFI-LAN(+800-943-4526)2019HewlettPackardEnterpriseDevelopmentLP.
AllRightsReserved.
Fax408.
227.
4550ClearPassandClaroty3ContentsIntroduction.
5SoftwareRequirements.
5InstallationandDeploymentGuide5PictorialviewoftheIntegration6Configuration.
7ClearPassConfiguration.
7CreateaClearPassUser.
7CreateanOperatorProfile.
7CreateanAPIClient.
9ClarotyConfiguration10IntegrationResults.
12Monitoring/ReviewingClearPassandClarotycommunications14ClearPassandClaroty–IntegrationGuide4FiguresFigure1:PictorialviewofClearPassPolicyManagerintegrationwithClaroty.
6Figure2:CreateanAPIlevelaccountinClearPass.
7Figure3:OperatorProfile-Accessrestrictions1.
8Figure4:OperatorProfile-Accessrestrictions2.
8Figure5:OperatorProfile-Accessrestrictions3.
9Figure6:CreateanAPIClient9Figure7:ClarotyConfigurationConsole.
10Figure8:EndpointDictionaryAttributescreatedbyClaroty.
12Figure9:ExampleofEndpointscreatedbyClaroty12Figure10:NormalizedEndpointdatacreatedbyClaroty.
13Figure11:CustomEndpointdatacreatedbyClaroty.
13Figure12:Reviewing'LastSync'timetoClearPass.
14Figure13:ExampleofAPIlogsbetweenClarotyandClearPass14ClearPassandClaroty–IntegrationGuide5IntroductionThisIntegrationGuidecoverstheconfigurationanduseoftheintegrationbetweenClarotyandClearPassPolicyManager(CPPM).
Claroty'sContinuousThreatDetectionproductprovidesextremevisibility,continuousthreatandvulnerabilitymonitoringanddeepinsightsintoIndustrialControlSystems(ICS)networks.
ThisinitialintegrationbetweenClarotyandClearPassPolicyManagerfocusesontheabilityofClarotytodetect,discoverandclassifyOT/ICSendpointsandsharethisclassificationdirectlywithClearPassviatheClearPassSecurityExchangeframeworkandtheopenAPIsweexpose.
ClarotywillautomaticallyupdatetheClearPassPolicyManagerendpointdatabasewithendpointclassificationdataandavarietyofcustomsecurityattributes.
ThisguideiswrittenbasedonPhase1ofourplannedintegrationwithClaroty,whichprovidescentralizedvisibilityofnetworkassetsandendpointsacrossITandOTinfrastructure.
Fromhereacentralizedendpointandedgesecuritypolicycanbedefinedandadministered.
Checkbackforupdatestothisintegrationframework.
SoftwareRequirementsAtthetimeofwriting,ClearPassPolicyManagerversion6.
8.
0isavailableandtherecommendedrelease.
CPPMrunsonhardwareapplianceswithpre-installedsoftwareorasaVirtualMachineunderthefollowinghypervisors.
HypervisorsthatrunonaclientcomputersuchasVMwarePlayerarenotsupported.
VMwareESXi6.
0,6.
5,6.
6orhigherMicrosoftHyper-VServer2012R2or2016R2Hyper-VonMicrosoftWindowsServer2012R2or2016R2KVMonCentOS7.
5orlater.
TheversionofClarotythatwasusedforwritingthisintegrationguideis3.
2.
2.
9734.
InstallationandDeploymentGuideThegenericClearPassinstallationanddeploymentguideislocatedhere:https://www.
arubanetworks.
com/techdocs/ClearPass/6.
7/Aruba_DeployGd_HTML/Default.
htm#About%20ClearPass/Intro_ClearPass.
htmClearPassandClaroty–IntegrationGuide6PictorialviewoftheIntegrationThediagrambelowshowsapictorialoverviewofthecomponentsandhowtheyinteractwitheachother.
Figure1:PictorialviewofClearPassPolicyManagerintegrationwithClarotyClearPassandClaroty–IntegrationGuide7ConfigurationClearPassConfigurationPriortocreatingandenablingtheintegrationinClarotyanumberofconfigurationelementsneedtobepre-createdinClearPassPolicyManager.
Followthebelowconfigurationstepscarefully,collectingdataashighlightedwhichwillbeneededinthefollowingsectionwhenconfiguringClarotytoestablishanintegrationwithCPPM.
CreateaClearPassUserAspartofthecommunicationschannelbetweenthetwoproducts,ClarotywilluseanumberofAPIs.
AccesstotheTIPSAPIisvalidatedviaUsername/Passwordcombinationcredentials.
Thisuserneedstohaveminimumlevelsofaccess,donotuseaSuperAdministratorprofile.
CreateauserfromAdministration->UsersandPrivileges->+ADD->{Createauser,ensurethatyouuseaprivilegelevelofAPIAdministrator}MakeanoteoftheUserIDandPasswordthatwasconfigured,ensurePrivilegelevelisAPIAdministratorFigure2:CreateanAPIlevelaccountinClearPassCreateanOperatorProfileTosecurelyaccesstheRESTAPIsfortheAPIClient,createarestrictedaccessOperatorProfile.
NavigatetoClearPassGuest>Administration>OperatorLogins>Profiles.
Clickon"Createanewoperatorprofile"onthetoprightcornerofthepageanddefineanoperatorprofileasshownbelow.
PickandchoosethenecessaryaccessforClarotytoupdateCPPMendpointdatabasewiththedevicecontext.
Insummaryalloptionsaresetas'NoAccess'exceptforthefollowing.
ForAPIServices,selectcustomandthengrantthefollowingaccessAllowAPIAccess=AllowAccessClearPassandClaroty–IntegrationGuide8ForPolicyManager,selectcustomandthengrantthefollowingaccessDictionary–Attributes=Read,Write,DeleteDictionary–Fingerprints=Read,Write,DeleteIdentity–Endpoints=Read,Write,DeleteFigure3:OperatorProfile-Accessrestrictions1Figure4:OperatorProfile-Accessrestrictions2ClearPassandClaroty–IntegrationGuide9Figure5:OperatorProfile-Accessrestrictions3CreateanAPIClientClarotyusestheRESTAPIsforthisintegration,RESTAPIsareauthenticatedunderanOAuth2framework.
CreateanAPIClientunderGuest>Administration>APIServices>APIClients>{CreateAPIClient}EnsuretheOperatorProfilepreviouslycreatedisusedheretorestrictthecapabilitiesoftheAPIClient.
Noticethehighlightedconfigurationoptionsneeded,andsetasappropriateOperatingMode=ClearPassRESTAPI–ClientwillbeusedforAPIcallstoClearPassOperatorProfile=UsetheOperatorProfilecreatedpreviouslyGrantType=Clientcredentials(grant_type=client_credentails)RecordtheClientSecretandtheACTUALAPIClientIDi.
e.
ClarOTyasbelowFigure6:CreateanAPIClientClearPassandClaroty–IntegrationGuide10AtthistimeallofthenecessaryconfighasbeencreatedinPolicyManager,ensureyouhavethebelowlistofinformationcollectedbeforeproceedingtothenextsection.
CPPMAPIAdministratorUserIDCPPMAPIAdministratorUserPasswordCPPMOAuth2APIClientNAMECPPMOAuth2APIClientSecretClarotyConfigurationForthisinitialintegrationbetweenthetwoproducts,thereislimitedconfigurationnecessaryonClaroty.
AftertheconfigurationiscompletetheClarotyplatformwillcontinuetoupdatetheClearPassPolicyManagerendpointdatabaseasitdiscoversnewendpointsataperiodicschedule.
Followthestepsbelowtoconfigureandenablethisintegration.
LoginasanadministratorintoCalrotyusingport5000(https://:5000).
FromtheClarotymainconsole,navigatetoConfiguration>Integrations>ArubaClearPass.
Afterclickingon'ArubaClearPass'thefollowingscreenisshown,allfieldsarerequiredfortheconfiguration.
UsethevaluescollectedduringClearPassPolicyManagerconfiguration.
Onceconfigured,clickonConnect.
Amessageisdisplayedatthebottomofthescreeninagreenboxsaying"AddedIntegrationConfiguration".
Thisiseasytomiss.
ThebuttonforConnectchangestoUpdatewhichindicatestheconfigurationissaved.
Figure7:ClarotyConfigurationConsoleClearPassandClaroty–IntegrationGuide11Belowtableexplainsthefieldsusedforconfigurationindetail.
FieldNameValue/NotesServerAddressThisshouldbetheClearPassPublisher'sIPaddressPortThisshouldbe443ClientIDOAuth2clientIDcreatedintheprevioussectionAPIAdminUsernameAPIAdministratorUserIDcreatedintheprevioussectionAPIAdminPasswordAPIAdministratorPasswordcreatedintheprevioussectionClientSecretOAuth2ClientSecretcopiedintheprevioussectionClearPassandClaroty–IntegrationGuide12IntegrationResultsAspartofenablingtheaboveintegration,ClarotywillcreateanumberofcustomEndpointDictionaryattributesusingtheClearPassRESTAPIs.
ThisisarecordoftheDictionaryAttributescreatedbyClaroty.
CheckunderAdministration>Dictionaries>DictionaryAttributes.
Figure8:EndpointDictionaryAttributescreatedbyClarotyTheEndpointdataissentbyClaroty,itcreatestheEndpoints,setstheendpointclassificationandalsoconfiguressomecustomendpointattributes.
Anexampleoftheendpointscreatedareshownbelow.
Figure9:ExampleofEndpointscreatedbyClarotyClearPassandClaroty–IntegrationGuide13Lookingcloserattheendpointdatawecanseeseveralimportantthings,themac-address,mac-vendor,andsomedeviceclassificationasdeterminedbyClaroty,othervaluabledatasuchasthedatetheendpointwasaddedandprofiled,saidanotherwaythetimeClarotyupdatedClearPasswiththedevicesdata.
Figure10:NormalizedEndpointdatacreatedbyClarotyInadditiontothestandarddata,Clarotyalsosuppliesothercustomattributes.
ClickontheAttributestabtoseethem.
AnyoftheseattributescouldbeusedinaPolicy.
Figure11:CustomEndpointdatacreatedbyClarotyClaroty_Criticality,Claroty_Firmware,Claroty_Risk_Level,Claroty_CVE_Scorearesomeoftheveryusefulattributesthatcanbeusedwithintheenforcementpolicy.
Forexample,aknownvulnerableFirmwareforadevicecategorycanbeblocked.
IftheCriticalityisHigh,anendpointcanbequarantined.
ClearPassandClaroty–IntegrationGuide14Monitoring/ReviewingClearPassandClarotycommunicationsOncethesynchasstartedendpointdatawillbepopulateddirectedlyintothePolicyManagerendpointdatabase,viewthelastupdatetimefromtheintegrationconfigurationscreen,seebelowforanexample.
Figure12:Reviewing'LastUpdate'timetoClearPassIfthesyncisnotworkingorshowsanerrorthenit'slikelyyou'vemissedcapturingtheinformationcorrectly,recheckthedatarecorded,additionallyyoucanviewtheAPIcallsbetweenClarotyandClearPassfromClearPassGuest>Administration>Support>ApplicationLog.
BelowisanexampleoflogsfromClarotytoClearPass.
FilterusingtheIPaddressofClaroty.
Figure13:ExampleofAPIlogsbetweenClarotyandClearPassNoticethereareafewerrorlogs.
TheseerrorsindicatethatthemacaddressdidnotexisthenceanewonewascreatedbyClaroty.
Ifitexists,itwillbeupdatedifnecessaryandtheerrorswillnotbeseen.