Integrating ClearPass with Infoblox

This section provides the following information:

Adding an Infoblox Endpoint Context Server
Adding a Context Server Action to the Infoblox Server
Creating an Infoblox Enforcement Profile
Configuring an Infoblox RADIUS Enforcement Profile
Creating an Infoblox Enforcement Policy
Defining an Infoblox Service
Authenticating External Devices Against the Infoblox Service
Creating a Filter to Accept Information from the ClearPass Server

Infoblox is a server that provides a host of services, such as DNS, DHCP, and IPAM (IP address management). Infoblox provides a DHCP management system that issues IP addresses to externally authenticated devices and also maintains a MAC address context associated with the newly allocated IP address.

Integrating ClearPass with Infoblox typically tags the username context, as well as the external device being authenticated, along with its respective MAC address, which further simplifies IP address management on the Infoblox side.

This section describes the configurations that you must make on the ClearPass server in order for the ClearPass server to send data to an Infoblox server.

Adding an Infoblox Endpoint Context Server

To add an Infloblox endpoint context server:

1. Navigate to Administration > External Servers > Endpoint Context Servers.

The Endpoint Context Servers page opens.

Figure 1: Endpoint Context Servers Page

2. Click Add.

The Add Endpoint Context Server dialog opens. This dialog opens in the Server page.

Figure 2: Adding an Infoblox Endpoint Context Server

3. Enter the following information:
a. Select Server Type: From the drop-down list, select Generic HTTP.
b. Server Name: Enter the IP address of the Infoblox server.
c. Server Base URL: As you enter the IP address in the Server Name field, the Server Base URL is populated automatically with the same IP address.
d. Password: Enter the password for this server, then verify the password.
4. When finished defining the parameters in the Server page, click Save.

You return to the Endpoint Context Servers page, where the endpoint context server you added is now listed.

Adding a Context Server Action to the Infoblox Server

This section describes how to define an Infoblox Login action and specify the URL to post content from the ClearPass Policy Manager server to the Infoblox server.

To add a context server action to the Infoblox server:

1. Navigate to Administration > Dictionaries > Context Server Actions.

The Endpoint Context Server Actions page appears.

 

2. Select the Infoblox Login endpoint context server action.

The Endpoint Context Server Details dialog for the selected action is displayed.

For descriptions of the parameters in the Endpoint Context Servers Details tabs, refer to Configuring Endpoint Context Server Actions.

Figure 3: Selecting the Infoblox Server for the Endpoint Context Server Action

3. Server Name: Select the IP address of the Infoblox server.
4. URL: Note the URL for posting content from the ClearPass server to the Infoblox server:

/wapi/v2.0/macfilteraddress?

5. Click Save.

Attributes Sent to the Infoblox Server

6. To view the attributes that will be sent to the Infoblox server, click the Content tab.

As shown in Figure 4, the following attributes are sent in JSON format to the Infoblox server:

Filter name "ClearPass"
Username and MAC addresses of the authenticated devices

Figure 4: Attributes Sent to Infoblox Server

7. Click Cancel.

Creating an Infoblox Enforcement Profile

This section describes how to create a simple HTTP-based enforcement profile named "Infoblox Notify" that acts against the Infoblox Login action. For additional details on configuring enforcement profiles, see Configuring Enforcement Profiles.

To create an Infoblox enforcement profile:

1. Navigate to Configuration > Enforcement > Profiles.

The Enforcement Profiles page opens.

Figure 5: Enforcement Profiles Page

2. Click Add.

The Add Enforcement Profiles dialog appears.

Figure 6: Adding the Infoblox Enforcement Profile

3. Configure the Add Enforcement Profile page as follows:
a. Template: Select HTTP Based Enforcement.

For details on configuring HTTP-based enforcement profiles, see HTTP Based Enforcement Profile.

b. Name: Enter Infoblox Notify.
c. Description: Optionally, enter a description of this enforcement profile.
d. Click Next.

The Enforcement Profiles Attributes page appears.

Figure 7: Specifying the Target Server and Enforcement Action

4. Configure the Enforcement Profile Attributes page as follows:
a. Target Server: Select the IP address of the Infoblox server.
b. Action: Select Infoblox Login.
c. Click Save.

You return to the Enforcement Profiles page, where the Infoblox Notify enforcement profile is now listed.

Configuring an Infoblox RADIUS Enforcement Profile

This section describes how to define a RADIUS Enforcement type profile for Infoblox. This profile configures parameters to define tunnel parameters, VLAN ID, and the termination action.

 

This configuration is specific to the lab environments in which this feature has been tested. The RADIUS: IETF attributes can take any values, depending on the lab environment.

For details on configuring a RADIUS-based enforcement policy, see RADIUS Based Enforcement Profile.

To define a RADIUS Enforcement profile:

1. Navigate to Configuration > Enforcement > Profiles.

The Enforcement Profiles page appears.

2. Click Add.

The Add Enforcement Profiles dialog appears.

Figure 8: Adding a RADIUS-Based Enforcement Profile

3. Enter the following information:
a. Template: Select RADIUS Based Enforcement.
b. Name: Enter Infoblox RADIUS Enforcement.
c. Description: Optionally, enter a description of this profile.
d. Click Next.

The Enforcement Profiles Attributes page opens. In the following steps, you will add the four RADIUS Enforcement attributes illustrated in Figure 9.

Figure 9: Adding Attributes to the RADIUS Enforcement Profile

Tunnel-Private_Group-Id

4. Click Click to add....
a. Type: Select Radius:IETF.
b. Name: Select Tunnel-Private_Group-Id.
c. Value: Enter the value configured for the Tunnel-Private_Group-Id attribute on the controller.

Session-Timeout

5. Click Click to add....
a. Type: Select Radius:IETF.
b. Name: Select Session-Timeout.
c. Value: Enter 21600 (which equals six hours in seconds).

Tunnel-Type

6. Click Click to add....
a. Type: Select Radius:IETF.
b. Name: Select Tunnel-Type.
c. Value: Select VLAN.

Termination-Action

7. Click Click to add....
a. Type: Select Radius:IETF.
b. Name: Select Termination-Action.
c. Value: Select RADIUS-Request.
8. Click Save.

You return to the Enforcement Profiles page. The following message is displayed:

Enforcement profile "Infoblox RADIUS Enforcement" added

Creating an Infoblox Enforcement Policy

This section describes how to create an enforcement policy to act against the "Infoblox Notify" and "Infoblox RADIUS Enforcement" profiles so that external devices can authenticate against this policy.

For details on configuring enforcement policies, see Configuring Enforcement Policies.

To create an Infoblox Enforcement Policy:

1. Navigate to Configuration > Enforcement > Policies.

The Enforcement Policies page opens.

2. Click Add.

The Add Enforcement Policies page appears.

Figure 10: Adding the Infoblox Enforcement Policy

3. Enter the following information:
a. Name: Enter Infoblox Policy.
b. Description: Optionally, enter a description of this profile.
c. Enforcement Type: Set by default to RADIUS.
d. Default Profile: Select Allow Access Profile.
e. Click Next.

The Rules page appears.

4. Click Add Rule.

The Rules Editor dialog appears.

Figure 11: Configuring Infoblox Enforcement Policy Rules

5. In the Conditions panel, click Click to add, then enter the following information:
a. Type: Select Tips.
b. Name: Select Role.
c. Operator: Select EQUALS.
d. Value: Select User Authenticated.
6. In the Enforcement Profiles panel:
a. Click Select to Add.

 

You must add the enforcement profies in the order specified here.

b. Select [RADIUS] Infoblox RADIUS Enforcement.
c. Click Select to Add.
d. Select [HTTP] Infoblox Notify.
7. Click Save.
8. To view the Infoblox enforcement policy summary, click the Summary tab.

Figure 12: Summary of the Infoblox Enforcement Policy

9. Check the summary information to make sure the policy is correct, make any changes if necessary, then click Save.

You return to the Enforcement Policies page where the new Infoblox Policy is now listed.

Defining an Infoblox Service

This section describes how to create a Generic RADIUS Enforcement wireless service named "Infoblox Service" for the policy "Infoblox Policy."

To create the wireless service:

1. Navigate to Configuration > Services.

The Services page opens.

2. Click Add.

The Add Services page opens.

Figure 13: Adding an Infoblox Wireless Service

3. Enter the following information:
a. Type: Select 802.1X Wireless.
b. Name: Enter Infoblox Wireless Service.
c. Description: Optionally, enter a description of this service.
d. In the Service Rule panel, set Matches to ANY, then click Next.

The Authentication page appears.

Figure 14: Specifying Wireless Service Authentication Settings

4. Enter the following information:
a. Authentication Methods: Select the authentication method.

This example uses EAP MSCHAPv2.

b. Authentication Sources: Select the authentication source(s).

This example uses Local SQL DB.

5. Select the Enforcement tab.

Figure 15: Specifying the Enforcement Policy for the Service

6. From the Enforcement Policy drop down, select Infoblox Policy, then click Next.

The Infoblox Wireless Service Summary page is displayed.

7. Check the summary information to make sure the service is correct, make any changes if necessary, then click Save.

You return to the Services page where the new Infoblox Wireless Service is now listed.

Authenticating External Devices Against the Infoblox Service

This section defines the configuration on the Infoblox server to receive the MAC address and username context from ClearPass.

The following procedure adds an IPv4 network that is used as a DHCP pool to assign IP addresses to the external devices that must be authenticated.

To configure an Infoblox server to authenticate external devices:

1. Log into the Infoblox server.

The Infoblox IPAM Tasks page opens.

Figure 16: Infoblox Server Initial Page

2. Select the Data Management tab, then select the DHCP tab.

The DHCP Networks page appears.

Figure 17: Adding an IPv4 Network

3. To add a new network, click the Plus icon.

The Add IPv4 Network Wizard begins.

Figure 18: Adding an IPv4 Network

4. With Add Network selected by default, click Next.

The following screen appears.

Figure 19: Specifying the Netmask

5. In the Netmask field, specify the netmask for the new network.

The netmask is set by default to /24 (that is, a Class C IP address), but you can set the netmask to any appropriate netmask value for your network.

6. To add an IPv4 network, in the Networks panel, click the Plus sign (see Figure 19).
7. In the Networks field, enter the IP address of the network, then click Next.

The Members screen appears.

Figure 20: Adding Members

8. Click the Plus sign.

While adding members for the DHCP pool, the members group from Data Management > DHCP > Members is populated automatically.

9. Click Next.

The following screen appears.

Figure 21: Specifying the Lease Time (Session-Timeout Value)

10. In the Lease Time Override panel, click Override.
11. In the Lease Time field, enter 21600; from the drop-down, select Seconds. Then click Next.

 

The Lease Time value you enter here must correspond to the Session-Timeout value defined under Infoblox RADIUS Enforcement (see Figure 9).

The Extension Attributes screen opens. No changes are required here.

12. Click Next.

The Create IPv4 Network screen opens. You can choose to create the network now or schedule it for a later day and time.

Figure 22: Scheduling Date and Time for Creating the IPv4 Network

13. Specify when you choose to create the IPv4 network, then click Save & Close.

The new network is created.

Figure 23: New IPv4 Network Created

Creating a Filter to Accept Information from the ClearPass Server

To create a filter to accept information from the ClearPass server:

1. From the Data Management > DHCP tab, select the newly created network.

The Networks page opens.

2. Select the IPv4 Filters tab.
3. To add a filter, click the Plus sign.

The Add IPv4 MAC Address Filter dialog opens.

4. In the Name field, enter ClearPass.

 

The name of the filter must correspond to the filter value in the Endpoint Context Server Content page (see Attributes Sent to the Infoblox Server).

5. Optionally, enter a comment to describe this filter, then click Next.

Step 2 of the Add IPv4 MAC Address Filter wizard appears.

6. In the Lease Time fields, enter 21600 Seconds, then click Next.

Figure 24: Specifying Lease Time in the IPv4 MAC Address Filter

 

The Lease Time value entered here must correspond to the Session-Timeout value defined under Infoblox RADIUS Enforcement Profile (see Session-Timeout).

Step 3 of the IPv4 MAC Address Filter wizard appears.

Figure 25: Specifying the MAC Address Expiration in the IPv4 MAC Address Filter

7. For the Default MAC Address Expiration setting:
a. Select the Automatically Expires in button.
b. Specify 21600 Seconds.
c. Then click Next.

The Extensible attributes screen appears.

8 No changes are required for this step, so click Next.

In Step 5, the Schedule Change dialog appears.

Figure 26:  

8. Specify the Schedule Change settings:
a. If you wish to run the MAC address filter now, select Now.
b. If you wish to schedule the MAC address filter for later, select Later and specify the Start Date and Start Time.
c. When finished with the Schedule Change settings, click Save & Close.