Security

Reply
New Contributor

Connect Clear Pass Policy Manager with Azure AD/Office 365

Hi all,

we've set up the ClearPass Policy Manager to control access to our WLAN networks via WPA2 Enterprise and RADIUS. So far it is working fine with local users.

Now we want to set up a connection to Office 365 because there we have all users that should be able to connect to the WLANs. Setting up local users on the ClearPass manually would become superfluous.

 

The first idea we've had was to set up secure LDAP service as described here:

Configure secure LDAP (LDAPS) for an Azure AD Domain Services managed domain

The integration under "Authentication --> Sources" was successfully and were able to browse through the directory and set up filters:

 

clearpass1.PNG

With the second filter we control if the user is in the right group (users that are allowed to connect to the WLAN are assigned to a special group in Azure AD).

After that we've updated the role mapping:

clearpass2.PNG

("Gruppenname" stands for "group name")

 

... and the enforcement policy:

clearpass3.PNG

Now we've tried to log in via the Office 365 credentials, but they are rejected all time. The log shows the following errors:

clearpass4.PNG

clearpass5.PNG

 

Is there a mistake in our configuration? Or isn't it possible to adopt Azure AD via LDAP at all?

Connecting directly to AD isn't a option because we don't have a local server that is syncing with Azure AD. Also the the integration of a social login is not looking suitably for our needs. Do you have some other ideas?

 

Thanks a lot!

Guru Elite

Re: Connect Clear Pass Policy Manager with Azure AD/Office 365

Couple of comments here.

 

Azure Active Directory Domain Services is NOT designed for what you're trying to do. It is designed to extend LEGACY authentication support to other services that live in Azure (eg. servers and applications).


The legacy EAP method, PEAP, is effictively dead when you move to a cloud identity provider as it requires credentials stored in a legacy format. We released a document last month that covers this. You can use SAML or OAuth 2.0 against Azure Active Directory to authenticate users prior to Onboard certificate issuance.

 

http://community.arubanetworks.com/t5/Security/ClearPass-Configuration-Guide-Onboard-Cloud-Identity-Providers/m-p/301657

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Connect Clear Pass Policy Manager with Azure AD/Office 365

Thanks a lot for the fast response!

It helped me overthink my idea. The document is really helpfully and good to unterstand. I will test these approaches.

So all in all it is technically necessary to set up a captive portal that links to cloud identity providers such as Azure AD. There is no option to use built in authentication methods of the operation systems (so that the fields for username and password pop up when connecting to the network, for me the most end-user friendly way compared to captive portals...), because that would require PEAP. Am I right?

Guru Elite

Re: Connect Clear Pass Policy Manager with Azure AD/Office 365

Correct, but the captive portal is just for the initial certificate enrollment. That process installs the certificate that is used by the native OS supplicant for EAP-TLS. It's actually a very user friendly process.

While it may sound like a bad thing, it's actually very good. Traditional username/password authentication on an unmanaged device is incredibly insecure.



TIM CAPPALLI

Aruba Security

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Connect Clear Pass Policy Manager with Azure AD/Office 365

You're right - it sounds like an user-friendly and very secure process.

So thanks a lot for your help! .That brought light into the darkness and looks like a great option to integrate Azure AD!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: