Security

Hello everyone,

Recently we have tried to integrate CPPM with our Check Point R80.30 appliance according to the official guide by Arpit Bhatt. However, CPPM doesn't send POST messages to the appliance according to packet capture and according to Policy Manager Service logs it doesn't even attempt to communicate with Check Point REST API.

Steps we did to configure integration on CPPM:

1. Created generic HTTP context server targeting Check Point gateway.


2. Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

3. Created HTTP based enforcement profile with necessary attributes:

4. Linked this enforcement profile as action in our wireless enforcement policy.

Am I missing some steps? How can I debug this part?
Would be really grateful, if someone shares an advice.

------------------------------
Igor Aliyev
------------------------------

An interesting observation. We tried to force communication through Access Tracker Logs/Server Action.

When there are attributes declared in the context server action (like %{shared-secret}, %{timeout}) the result is the following:


When attributes are deleted and proper values are inserted directly into JSON notaion the result is the following:

Moreover, it actually communicates with Check Point appliance.
​

------------------------------
Igor Aliyev
------------------------------

Original Message:
Sent: Apr 23, 2021 03:41 AM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

Hello everyone,

Recently we have tried to integrate CPPM with our Check Point R80.30 appliance according to the official guide by Arpit Bhatt. However, CPPM doesn't send POST messages to the appliance according to packet capture and according to Policy Manager Service logs it doesn't even attempt to communicate with Check Point REST API.

Steps we did to configure integration on CPPM:

1. Created generic HTTP context server targeting Check Point gateway.


2. Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

3. Created HTTP based enforcement profile with necessary attributes:

4. Linked this enforcement profile as action in our wireless enforcement policy.

Am I missing some steps? How can I debug this part?
Would be really grateful, if someone shares an advice.

------------------------------
Igor Aliyev
------------------------------

Igor,

A few things... firstly since the the last DOC from Arphit, I wrote an update as did another engineer Drew. Find the latest version here, check this doc through for potential changes.... https://support.hpe.com/hpesc/public/docDisplay?docId=a00101500en_us

To your issue, can you please confirm that the devices authenticating are seeing radius-accounting data... check in AT and look for an Accounting TAB like the below. No accounting then enforcement policy will no fire.



------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------

Original Message:
Sent: Apr 23, 2021 07:08 AM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

An interesting observation. We tried to force communication through Access Tracker Logs/Server Action.

When there are attributes declared in the context server action (like %{shared-secret}, %{timeout}) the result is the following:


When attributes are deleted and proper values are inserted directly into JSON notaion the result is the following:

Moreover, it actually communicates with Check Point appliance.
​

------------------------------
Igor Aliyev

Original Message:
Sent: Apr 23, 2021 03:41 AM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

Hello everyone,

Recently we have tried to integrate CPPM with our Check Point R80.30 appliance according to the official guide by Arpit Bhatt. However, CPPM doesn't send POST messages to the appliance according to packet capture and according to Policy Manager Service logs it doesn't even attempt to communicate with Check Point REST API.

Steps we did to configure integration on CPPM:

1. Created generic HTTP context server targeting Check Point gateway.


2. Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

3. Created HTTP based enforcement profile with necessary attributes:

4. Linked this enforcement profile as action in our wireless enforcement policy.

Am I missing some steps? How can I debug this part?
Would be really grateful, if someone shares an advice.

------------------------------
Igor Aliyev
------------------------------

Thank you Danny,


By the way it is described in the guide I thought that the REST API configuration is enough to send data.
I will try RADIUS accounting proxy and post the results.

------------------------------
Igor Aliyev
------------------------------

Original Message:
Sent: Apr 23, 2021 01:51 PM
From: Danny Jump
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

Igor,

A few things... firstly since the the last DOC from Arphit, I wrote an update as did another engineer Drew. Find the latest version here, check this doc through for potential changes.... https://support.hpe.com/hpesc/public/docDisplay?docId=a00101500en_us

To your issue, can you please confirm that the devices authenticating are seeing radius-accounting data... check in AT and look for an Accounting TAB like the below. No accounting then enforcement policy will no fire.



------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Apr 23, 2021 07:08 AM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

An interesting observation. We tried to force communication through Access Tracker Logs/Server Action.

When there are attributes declared in the context server action (like %{shared-secret}, %{timeout}) the result is the following:


When attributes are deleted and proper values are inserted directly into JSON notaion the result is the following:

Moreover, it actually communicates with Check Point appliance.
​

------------------------------
Igor Aliyev

Original Message:
Sent: Apr 23, 2021 03:41 AM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

Hello everyone,

Recently we have tried to integrate CPPM with our Check Point R80.30 appliance according to the official guide by Arpit Bhatt. However, CPPM doesn't send POST messages to the appliance according to packet capture and according to Policy Manager Service logs it doesn't even attempt to communicate with Check Point REST API.

Steps we did to configure integration on CPPM:

1. Created generic HTTP context server targeting Check Point gateway.


2. Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

3. Created HTTP based enforcement profile with necessary attributes:

4. Linked this enforcement profile as action in our wireless enforcement policy.

Am I missing some steps? How can I debug this part?
Would be really grateful, if someone shares an advice.

------------------------------
Igor Aliyev
------------------------------

No need for RADIUS proxy, thats not a requirement, but CPPM need to see an accounting-start internally to trigger post-auth enforcement actions, so check your AT for accounting TAB on an authenticated user/device..

------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------

Original Message:
Sent: Apr 25, 2021 11:55 PM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

Thank you Danny,


By the way it is described in the guide I thought that the REST API configuration is enough to send data.
I will try RADIUS accounting proxy and post the results.

------------------------------
Igor Aliyev

Original Message:
Sent: Apr 23, 2021 01:51 PM
From: Danny Jump
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

Igor,

A few things... firstly since the the last DOC from Arphit, I wrote an update as did another engineer Drew. Find the latest version here, check this doc through for potential changes.... https://support.hpe.com/hpesc/public/docDisplay?docId=a00101500en_us

To your issue, can you please confirm that the devices authenticating are seeing radius-accounting data... check in AT and look for an Accounting TAB like the below. No accounting then enforcement policy will no fire.



------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Apr 23, 2021 07:08 AM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

An interesting observation. We tried to force communication through Access Tracker Logs/Server Action.

When there are attributes declared in the context server action (like %{shared-secret}, %{timeout}) the result is the following:


When attributes are deleted and proper values are inserted directly into JSON notaion the result is the following:

Moreover, it actually communicates with Check Point appliance.
​

------------------------------
Igor Aliyev

Original Message:
Sent: Apr 23, 2021 03:41 AM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

Hello everyone,

Recently we have tried to integrate CPPM with our Check Point R80.30 appliance according to the official guide by Arpit Bhatt. However, CPPM doesn't send POST messages to the appliance according to packet capture and according to Policy Manager Service logs it doesn't even attempt to communicate with Check Point REST API.

Steps we did to configure integration on CPPM:

1. Created generic HTTP context server targeting Check Point gateway.


2. Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

3. Created HTTP based enforcement profile with necessary attributes:

4. Linked this enforcement profile as action in our wireless enforcement policy.

Am I missing some steps? How can I debug this part?
Would be really grateful, if someone shares an advice.

------------------------------
Igor Aliyev
------------------------------

Yeah, there's no such tab. I guess something is wrong with the original enforcement policy then.

------------------------------
Igor Aliyev
------------------------------

Original Message:
Sent: Apr 26, 2021 12:45 PM
From: Danny Jump
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

No need for RADIUS proxy, thats not a requirement, but CPPM need to see an accounting-start internally to trigger post-auth enforcement actions, so check your AT for accounting TAB on an authenticated user/device..

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Apr 25, 2021 11:55 PM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

Thank you Danny,


By the way it is described in the guide I thought that the REST API configuration is enough to send data.
I will try RADIUS accounting proxy and post the results.

------------------------------
Igor Aliyev

Original Message:
Sent: Apr 23, 2021 01:51 PM
From: Danny Jump
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

Igor,

A few things... firstly since the the last DOC from Arphit, I wrote an update as did another engineer Drew. Find the latest version here, check this doc through for potential changes.... https://support.hpe.com/hpesc/public/docDisplay?docId=a00101500en_us

To your issue, can you please confirm that the devices authenticating are seeing radius-accounting data... check in AT and look for an Accounting TAB like the below. No accounting then enforcement policy will no fire.



------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Apr 23, 2021 07:08 AM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

An interesting observation. We tried to force communication through Access Tracker Logs/Server Action.

When there are attributes declared in the context server action (like %{shared-secret}, %{timeout}) the result is the following:


When attributes are deleted and proper values are inserted directly into JSON notaion the result is the following:

Moreover, it actually communicates with Check Point appliance.
​

------------------------------
Igor Aliyev

Original Message:
Sent: Apr 23, 2021 03:41 AM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

Hello everyone,

Recently we have tried to integrate CPPM with our Check Point R80.30 appliance according to the official guide by Arpit Bhatt. However, CPPM doesn't send POST messages to the appliance according to packet capture and according to Policy Manager Service logs it doesn't even attempt to communicate with Check Point REST API.

Steps we did to configure integration on CPPM:

1. Created generic HTTP context server targeting Check Point gateway.


2. Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

3. Created HTTP based enforcement profile with necessary attributes:

4. Linked this enforcement profile as action in our wireless enforcement policy.

Am I missing some steps? How can I debug this part?
Would be really grateful, if someone shares an advice.

------------------------------
Igor Aliyev
------------------------------

Apparently, I have not configured accounting server group on our Aruba MC. When enabled everything starts working like a charm. Thank you very much for your insight!

------------------------------
Igor Aliyev
------------------------------

Original Message:
Sent: Apr 26, 2021 12:45 PM
From: Danny Jump
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

No need for RADIUS proxy, thats not a requirement, but CPPM need to see an accounting-start internally to trigger post-auth enforcement actions, so check your AT for accounting TAB on an authenticated user/device..

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Apr 25, 2021 11:55 PM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

Thank you Danny,


By the way it is described in the guide I thought that the REST API configuration is enough to send data.
I will try RADIUS accounting proxy and post the results.

------------------------------
Igor Aliyev

Original Message:
Sent: Apr 23, 2021 01:51 PM
From: Danny Jump
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

Igor,

A few things... firstly since the the last DOC from Arphit, I wrote an update as did another engineer Drew. Find the latest version here, check this doc through for potential changes.... https://support.hpe.com/hpesc/public/docDisplay?docId=a00101500en_us

To your issue, can you please confirm that the devices authenticating are seeing radius-accounting data... check in AT and look for an Accounting TAB like the below. No accounting then enforcement policy will no fire.



------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Apr 23, 2021 07:08 AM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

An interesting observation. We tried to force communication through Access Tracker Logs/Server Action.

When there are attributes declared in the context server action (like %{shared-secret}, %{timeout}) the result is the following:


When attributes are deleted and proper values are inserted directly into JSON notaion the result is the following:

Moreover, it actually communicates with Check Point appliance.
​

------------------------------
Igor Aliyev

Original Message:
Sent: Apr 23, 2021 03:41 AM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

Hello everyone,

Recently we have tried to integrate CPPM with our Check Point R80.30 appliance according to the official guide by Arpit Bhatt. However, CPPM doesn't send POST messages to the appliance according to packet capture and according to Policy Manager Service logs it doesn't even attempt to communicate with Check Point REST API.

Steps we did to configure integration on CPPM:

1. Created generic HTTP context server targeting Check Point gateway.


2. Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

3. Created HTTP based enforcement profile with necessary attributes:

4. Linked this enforcement profile as action in our wireless enforcement policy.

Am I missing some steps? How can I debug this part?
Would be really grateful, if someone shares an advice.

------------------------------
Igor Aliyev
------------------------------

NP - Glad it was an easy fix :)

------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------

Original Message:
Sent: Apr 27, 2021 03:23 AM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

Apparently, I have not configured accounting server group on our Aruba MC. When enabled everything starts working like a charm. Thank you very much for your insight!

------------------------------
Igor Aliyev

Original Message:
Sent: Apr 26, 2021 12:45 PM
From: Danny Jump
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

No need for RADIUS proxy, thats not a requirement, but CPPM need to see an accounting-start internally to trigger post-auth enforcement actions, so check your AT for accounting TAB on an authenticated user/device..

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Apr 25, 2021 11:55 PM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

Thank you Danny,


By the way it is described in the guide I thought that the REST API configuration is enough to send data.
I will try RADIUS accounting proxy and post the results.

------------------------------
Igor Aliyev

Original Message:
Sent: Apr 23, 2021 01:51 PM
From: Danny Jump
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

Igor,

A few things... firstly since the the last DOC from Arphit, I wrote an update as did another engineer Drew. Find the latest version here, check this doc through for potential changes.... https://support.hpe.com/hpesc/public/docDisplay?docId=a00101500en_us

To your issue, can you please confirm that the devices authenticating are seeing radius-accounting data... check in AT and look for an Accounting TAB like the below. No accounting then enforcement policy will no fire.



------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Apr 23, 2021 07:08 AM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

An interesting observation. We tried to force communication through Access Tracker Logs/Server Action.

When there are attributes declared in the context server action (like %{shared-secret}, %{timeout}) the result is the following:


When attributes are deleted and proper values are inserted directly into JSON notaion the result is the following:

Moreover, it actually communicates with Check Point appliance.
​

------------------------------
Igor Aliyev

Original Message:
Sent: Apr 23, 2021 03:41 AM
From: Igor Aliyev
Subject: Endpoint Context Server integration - CPPM doesn't send HTTP POSTs

Hello everyone,

Recently we have tried to integrate CPPM with our Check Point R80.30 appliance according to the official guide by Arpit Bhatt. However, CPPM doesn't send POST messages to the appliance according to packet capture and according to Policy Manager Service logs it doesn't even attempt to communicate with Check Point REST API.

Steps we did to configure integration on CPPM:

1. Created generic HTTP context server targeting Check Point gateway.


2. Created context server login/logout actions (just one of them is below). Provided them with shared-secret inside JSON content and link them to Check Point context server.

3. Created HTTP based enforcement profile with necessary attributes:

4. Linked this enforcement profile as action in our wireless enforcement policy.

Am I missing some steps? How can I debug this part?
Would be really grateful, if someone shares an advice.

------------------------------
Igor Aliyev
------------------------------