02-27-2015 10:02 AM
I want to setup CAC smarcard login for admin access to Clearpass. Has anyone gotten this working?
Solved! Go to Solution.
02-27-2015 10:04 AM
02-27-2015 10:07 AM
6.5 is quite new, right? Have any bugs reared their heads yet?
Certificate based management authentication is available starting in CP 6.5.
02-27-2015 10:13 AM
03-06-2015 11:32 AM
We're getting approval to upgrade to 6.5. Is there a guide about doing it, or some other resource that might be helpful?
03-06-2015 12:12 PM
I don't think there is a deployment guide specifically for that quite yet, but there is some information in the 6.5 User Guide. It may be best to reach out to your Aruba or partner team.
03-08-2015 03:03 PM
Requires 4 steps:
- Create a Web Login page enabled as SAML IdP
-- Set Vendor Settings to "Single Sign-On - SAML Identity Provider"
-- Set Client Certificate to "Required - require a client certificate from the user"
-- Set Authentication to "Certificate Only - no username or password required"
- Run the Certificate/Two-Factor Authentication for ClearPass Application Login service template to create the appropriate services
-- Select the Applications for which you want to enable certificate authentication
-- Select the Authentication Source (though this wont be used if you're only using certificates)
-- Select the IdP page you created above
-- Specify the enforcement details (essentially you're mapping certificate attributes to operator privileges). You can tweak these later by editing the appropriate Enforcement Profile
- In Configuration > Identity > Single Sign-On (SSO)
-- Set the IdP URL to your Web Login page (e.g. https://<CPPM>/guest/idp.php)
-- Insure SSO is enabled for the applications you want
- Add the root/issuer of your client certificates to Administration > Certificates > Trust List
I would suggest just enabling SSO for Insight as a starting point. You can then test by browsing to https://<CPPM>/insight. This prevents locking yourself out of the Policy Manager or Guest until you have the workflow down. If you've done everything correctly, when you hit the Insight page, you'll be redirected to the Web Login page which will prompt for a client certificate. Select your client cert and submit. The client cert should be accepted as your credential and you should be logged into Insight.
04-08-2015 01:30 PM
I used rfiler's very excellent instructions. I'm now getting prompted for a certificate and get to select it and enter my PIN. After that, I get redirected to https://<the server name of the device>/networkservices/saml2/sp/acs (I got to it by the IP address originally) and Internet Explorer's "cannot display the webpage" screen.
Did my brain block out a chunk of the instructions and I just forgot to do something?
04-27-2015 07:07 AM
if you are still stuck did you try with other browsers? other version of ie?
you might try with something else then certificate first and then move there.
04-29-2015 07:37 AM - edited 04-29-2015 07:40 AM
It doesn't work at all in Firefox. It goes straight to "You must provide a valid certificate". That could be a configuration that is forced on us by GP, but it will never change. Chrome can't be installed here, and we are locked in to our IE version (9).
I've gotten around the redirect issue by making a hosts entry on my PC. Now after I get prompted for the certificate I get "HTTP Status 403 - RelayState missing/invalid" and "Access to the specified resource has been forbidden". However, if I close that window and go back in, it takes me staight in. It doesn't even prompt for a PIN, which is a problem, but I'm cautiously optimistic.