Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Connect Clear Pass Policy Manager with Azure AD/Office 365

This thread has been viewed 155 times

  • 1.  Connect Clear Pass Policy Manager with Azure AD/Office 365

    Posted Aug 16, 2017 09:40 AM

    Hi all,

    we've set up the ClearPass Policy Manager to control access to our WLAN networks via WPA2 Enterprise and RADIUS. So far it is working fine with local users.

    Now we want to set up a connection to Office 365 because there we have all users that should be able to connect to the WLANs. Setting up local users on the ClearPass manually would become superfluous.

     

    The first idea we've had was to set up secure LDAP service as described here:

    Configure secure LDAP (LDAPS) for an Azure AD Domain Services managed domain

    The integration under "Authentication --> Sources" was successfully and were able to browse through the directory and set up filters:

     

    clearpass1.PNG

    With the second filter we control if the user is in the right group (users that are allowed to connect to the WLAN are assigned to a special group in Azure AD).

    After that we've updated the role mapping:

    clearpass2.PNG

    ("Gruppenname" stands for "group name")

     

    ... and the enforcement policy:

    clearpass3.PNG

    Now we've tried to log in via the Office 365 credentials, but they are rejected all time. The log shows the following errors:

    clearpass4.PNG

    clearpass5.PNG

     

    Is there a mistake in our configuration? Or isn't it possible to adopt Azure AD via LDAP at all?

    Connecting directly to AD isn't a option because we don't have a local server that is syncing with Azure AD. Also the the integration of a social login is not looking suitably for our needs. Do you have some other ideas?

     

    Thanks a lot!



  • 2.  RE: Connect Clear Pass Policy Manager with Azure AD/Office 365
    Best Answer

    EMPLOYEE
    Posted Aug 16, 2017 09:57 AM

    Couple of comments here.

     

    Azure Active Directory Domain Services is NOT designed for what you're trying to do. It is designed to extend LEGACY authentication support to other services that live in Azure (eg. servers and applications).


    The legacy EAP method, PEAP, is effictively dead when you move to a cloud identity provider as it requires credentials stored in a legacy format. We released a document last month that covers this. You can use SAML or OAuth 2.0 against Azure Active Directory to authenticate users prior to Onboard certificate issuance.

     

    http://community.arubanetworks.com/t5/Security/ClearPass-Configuration-Guide-Onboard-Cloud-Identity-Providers/m-p/301657

     

     



  • 3.  RE: Connect Clear Pass Policy Manager with Azure AD/Office 365

    Posted Aug 20, 2017 10:14 AM

    Thanks a lot for the fast response!

    It helped me overthink my idea. The document is really helpfully and good to unterstand. I will test these approaches.

    So all in all it is technically necessary to set up a captive portal that links to cloud identity providers such as Azure AD. There is no option to use built in authentication methods of the operation systems (so that the fields for username and password pop up when connecting to the network, for me the most end-user friendly way compared to captive portals...), because that would require PEAP. Am I right?



  • 4.  RE: Connect Clear Pass Policy Manager with Azure AD/Office 365

    EMPLOYEE
    Posted Aug 20, 2017 10:19 AM
    Correct, but the captive portal is just for the initial certificate enrollment. That process installs the certificate that is used by the native OS supplicant for EAP-TLS. It's actually a very user friendly process.

    While it may sound like a bad thing, it's actually very good. Traditional username/password authentication on an unmanaged device is incredibly insecure.



    TIM CAPPALLI

    Aruba Security


  • 5.  RE: Connect Clear Pass Policy Manager with Azure AD/Office 365

    Posted Aug 20, 2017 10:41 AM

    You're right - it sounds like an user-friendly and very secure process.

    So thanks a lot for your help! .That brought light into the darkness and looks like a great option to integrate Azure AD!



  • 6.  RE: Connect Clear Pass Policy Manager with Azure AD/Office 365

    Posted Sep 26, 2019 03:28 PM
    Do you have updated guide?


  • 7.  RE: Connect Clear Pass Policy Manager with Azure AD/Office 365

    EMPLOYEE
    Posted Sep 26, 2019 09:23 PM

    This portal has all the required documentation and is always maintained and kept up to date.

     

    https://arubanetworks.com/clearpassdocs



  • 8.  RE: Connect Clear Pass Policy Manager with Azure AD/Office 365

    Posted Apr 12, 2021 09:11 AM
    Does this mean, that I need to use onboarding in order to authenticate against an Azure AD? I've read some posts about this topic as more and more companies seem to move their AD to Azure, but I couldn't find any guide on how to configure EAP-TLS with Azure AD and not onboarding the devices.

    Any help appreciated.

    Greetings
    Bernd

    ------------------------------
    Bernd Borowski
    ------------------------------

    Original Message


  • 9.  RE: Connect Clear Pass Policy Manager with Azure AD/Office 365

    EMPLOYEE
    Posted Apr 12, 2021 09:29 AM
    This is an old thread. Please open a new one the next time.

    Check these videos on an example of how to deploy EAP-TLS with Azure (and Intune).

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 10.  RE: Connect Clear Pass Policy Manager with Azure AD/Office 365

    Posted Apr 13, 2021 02:25 AM

    Thanks for your advice. Sadly your answer is not very helpful, since I asked for a solution without onboarding the devices. ( I guess you can say that with Intune one also needs to onboard the devices...)

    Greetings



    ------------------------------
    Bernd Borowski
    ------------------------------

    Original Message


  • 11.  RE: Connect Clear Pass Policy Manager with Azure AD/Office 365

    EMPLOYEE
    Posted Apr 13, 2021 03:12 AM
    With such constraints, it may be best to work with your Aruba partner or Aruba SE and discuss the possibilities. As mentioned, Azure AD does not allow legacy authentication like PEAP-MSCHAPv2, and EAP-TLS is the only secure option. Captive portal may be another option, but the best is to interactively design and see if you can find something that fits your requirements.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 12.  RE: Connect Clear Pass Policy Manager with Azure AD/Office 365

    Posted Apr 13, 2021 03:17 AM
    I'm in contact with my Aruba SE about this case since today, thanks for your support and replys.

    Greetings

    ------------------------------
    Bernd Borowski
    ------------------------------

    Original Message


  • 13.  RE: Connect Clear Pass Policy Manager with Azure AD/Office 365

    MVP EXPERT
    Posted Apr 12, 2021 10:51 AM
    Just to clarify, certificate-based authentication is required for cloud identity providers as legacy authentication methods can no longer be used.

    CPPM Onboard is one method for enrolling devices with certificates and is designed for unmanaged devices. Managed devices should be configured to enroll automatically as part of MDM enrollment.

    ------------------------------
    Tim C
    ------------------------------

    Original Message