This is a ClearPass authorization source for leveraging GeoIP data from ipstack in policy.
2018.01 (2018-05-03)
- 2018.01 (2018-05-03) Initial Release. Tested with ClearPass 6.7.3
- ClearPass 6.7.0+
- ipstack account
-
Download the ipstack authorization source > clearpass-exchange_ipstack_http-authz.xml
-
Log in to the ClearPass admin UI, navigate to Configuration > Authentication > Sources, and then click Import
-
Browse to find the downloaded file and then click Import
-
In the list of Authentication Sources, click ipstack GeoIP
-
Switch to the Attributes tab and click the geo-info filter
-
In the Filter Query box, enter the API key from your ipstack account after the equals sign (ex: %{Connection:Client-IP-Address}?access_key=fa8298asd9c9023098sdf90ds832)
-
Click Save and then Save again to finish
This can now be defined as an additional authorization source and the returned data can be used in role mapping and/or enforcement policies!
The default authorization source uses the %{Connection:Client-IP-Address} variable for the source IP address in the query URL. This is commonly used for TACACS+ workflows.
This variable can be changed based on the desired workflow. In the access tracker request, locate the attribute containing the public IP address. Often times this will be either Radius:IETF:Framed-IP-Address or Radius:IETF:Calling-Station-Id.
By default, the following data is pulled in as attributes, meaning they will be pulled in regardless of whether they are used in policy.
- continent_name
- continent_code
- country_code
- country_name
- region_code
- region_name
- city
If any of these attributes are not required in policy, consider either removing them from the authentication source or unchecking the Enabled As: Attribute checkbox.
Copyright (c) Hewlett Packard Enterprise Development LP. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License").
Author: @timcappalli, Aruba Security Group Organization: Aruba, a Hewlett Packard Enterprise company