Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clear Pass and Azure AD SSO without onboard license

This thread has been viewed 50 times

  • 1.  Clear Pass and Azure AD SSO without onboard license

    Posted Oct 15, 2020 05:09 AM

    Hello,

     

    We would like to configure a SSID that authenticates users using the captive portal in Clear Pass and Azure AD SSO without the onboard license. I was not able to find any documentation of how to do this, although in theory is possible using web login page in Clear Pass but apparently is not recommended. Any idea? Many Thanks



  • 2.  RE: Clear Pass and Azure AD SSO without onboard license

    Posted Oct 15, 2020 09:29 AM
    Can you please provide more details of the workflow to get the users enrolled ?

    Sent from Mail for Windows 10


  • 3.  RE: Clear Pass and Azure AD SSO without onboard license

    Posted Oct 15, 2020 09:54 AM

    Hello,

     

    The idea is to don't get the users enrolled, users connect to the ssid, clear pass redirects the authentication to Azure AD SSO and it will reply with a token basically saying "Yes" or "No" , then clear pass will grant access and allocate the user in the proper vlan. Talking with one of the Aruba presales Engineers apparently this is possible without the onboard license using a weblogin page in Clear pass, but i cannot find any documentation....so not sure. Many thanks



  • 4.  RE: Clear Pass and Azure AD SSO without onboard license
    Best Answer

    Posted Oct 15, 2020 10:38 AM

    This is doable except for assigning different VLANs.

     

    Unfortunately when a device is connected to a captive portal type wireless access , the device is not able to detect the VLAN change and think it still on the original VLAN that was assigned when it landed on the captive portal role.

     

    Best is to keep the same VLAN and then assign different user-roles to determine the type of access the user/device will get.

     

    To do the SSO portion, you will need to configure an enterprise application in Azure to use SAML and define in ClearPass the application that will use SSO as well as the application authorization service.

     

    Edit the SAML signing certificate and create a new certificate and make sure to make it active 

    2020-10-15 10_24_03-Window.png

    Download the certificate (Base64) and upload it to the ClearPass trust list and then map it out as the IdP Signing Certificate in the CPPM SSO config

    2020-10-15 10_15_35-Window.png

    2020-10-15 10_21_38-Window.png



  • 5.  RE: Clear Pass and Azure AD SSO without onboard license

    Posted Oct 15, 2020 11:19 AM

    Hello Victor,

     

    Many thanks for your help, i will try that.

     

    Regards,

    Santiago



  • 6.  RE: Clear Pass and Azure AD SSO without onboard license

    Posted Oct 15, 2020 01:11 PM

    Victor, can you advise on the role mapping and enforcement policies configuration please?



  • 7.  RE: Clear Pass and Azure AD SSO without onboard license

    Posted Oct 15, 2020 01:52 PM
    Please follow the guide created by Cappalli :

    https://community.arubanetworks.com/t5/Security/ClearPass-Configuration-Guide-Onboard-Cloud-Identity-Providers/td-p/301657



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 8.  RE: Clear Pass and Azure AD SSO without onboard license

    Posted Oct 16, 2020 04:18 AM

    Victor

     

    This guide is for onboard process, we do not have a license to perform this so wanted to use the captive portal process using SSO.



  • 9.  RE: Clear Pass and Azure AD SSO without onboard license
    Best Answer

    EMPLOYEE
    Posted Oct 16, 2020 06:01 AM

    Hi,

     

    Btw, you can accomplish the same using OAUTH.

     

    This is explained here https://whyfiplusplus.com/2020/09/27/clearpass-tiny-bite-7-clearpass-guest-social-login-with-azure-ad-part-1/

     

    I will be writing part 2 shortly covering in details the needed config from Azure /ClearPass/Controller side.. In brief, you need to define an App on Azure and use the client ID/secret part of the social login providers in ClearPass Guest..



  • 10.  RE: Clear Pass and Azure AD SSO without onboard license

    Posted Oct 16, 2020 06:21 AM

    Ayman

     

    Thanks very much, this looks very interesting. Very much interested in the 2nd part you are writing. We basically want to setup corp users to use SSO via captive portal and permit access to the internet. This is similar to our current Guest setup albeit they use the registration process to get access to the internet rather than SSO. The corp users can then launch their VPN to gain access to the Data Centre based applications.



  • 11.  RE: Clear Pass and Azure AD SSO without onboard license

    Posted Oct 16, 2020 09:30 AM
    In the guide you can use the OAuth 2.0 to configure web auth against AAD and define the role mapping

    The guide is meant for Onboarding but you can use some of it the settings for the web login workflow

    Sent from Mail for Windows 10


  • 12.  RE: Clear Pass and Azure AD SSO without onboard license

    EMPLOYEE
    Posted Oct 16, 2020 04:04 PM

    Hi,

     

    You may also refer the SAML Configuration Guide, especially the "ClearPass SP Configuration for Guest User Access" from page #13.

     

    https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33305

     

    This guide was last  updated in 2017, but will give you an idea of how Guest user SSO works when using ClearPass as SP.

    You  have to Create two services in ClearPass:

    • one for processing auth response from AAD
    • another one for regular L3 radius authentication, with the Auth Method as SSO

    You should be able to assign the users roles/policies during the radius auth.



  • 13.  RE: Clear Pass and Azure AD SSO without onboard license

    Posted Oct 19, 2020 04:51 AM

    Hi Saravanan

     

    Thanks very much for this post, this is very helpful and i will configure this and report the results.



  • 14.  RE: Clear Pass and Azure AD SSO without onboard license

    Posted Oct 26, 2020 05:10 AM

    Saravanan

     

    I have configured the saml setup via the document from page 13 but i am only seeing the application service in access tracker and not the radius request. The flow we have is User >> SSID >> Captive portal >> WebLogin with pre auth SSO. The vendor settings is set for Aruba Networks and the vendor ip address is set to point to the external DNS name of our clearpass server. I m not sure this is correct.

     

    Thanks



  • 15.  RE: Clear Pass and Azure AD SSO without onboard license

    EMPLOYEE
    Posted Oct 26, 2020 12:38 PM

    The vendor address should be of your Controller/WLC/Switch.

    Are you using Aruba Controller/IAP?

    If yes, then you may try the address as "securelogin.arubanetworks.com" if the controller/IAP is running with default certificate for captive portal server.

     



  • 16.  RE: Clear Pass and Azure AD SSO without onboard license

    Posted Oct 26, 2020 12:45 PM

    We use IAP but they are controlled by Aruba Central so each site has a virtual controller.



  • 17.  RE: Clear Pass and Azure AD SSO without onboard license

    Posted Apr 29, 2022 12:50 PM
    Hi Victor.
    In the web login page on clearpass needs some configuration?, how does the page take the cloud identity redirection?

    ------------------------------
    Alejandro Meza
    ------------------------------

    Original Message


  • 18.  RE: Clear Pass and Azure AD SSO without onboard license

    Posted Jun 27, 2022 11:35 PM
    Victor - I tried following your suggestions.  I had no trouble with the AzureAd Enterprise App creation, the uploading of the manifest, the creation of the certificate, the uploading of the certificate, etc.

    Where I ran into trouble in Clearpass 6.10 was creating the Azure-SSO-Auth-Service, and the implied Azure-SSO-Auth-Role-Mapping, as well as the Azure-SSO-Auth-Policy. I also did not see any single sign on option on the ClearPass Guest authentication page after enabling the SP with the Microsoft Enterprise App Details. Would you be willing to illustrate this section in greater depth?

    There is an imperative for your solution - versus the OAuth 2.0 solution (which does work).  The imperative has to do with the fact that Conditional Access Policies which are tied in to the compliance of the device are not possible with Oauth 2.0, since, to AzureAD, the authentication request is coming from the ClearPass server, and not the user's computer. Therefore, while I can authenticate users, I cannot confirm that the computer they are using to connect to my secure network is compliant with policy.

    FWIW, I deal with the VLAN questions by standing up two separate SSIDs, one with the VLAN in question connected directly, and one with a different VLAN. Then I restrict access based on department in AzureAD.

    Please and thank you!
    Original Message