We would like to configure a SSID that authenticates users using the captive portal in Clear Pass and Azure AD SSO without the onboard license. I was not able to find any documentation of how to do this, although in theory is possible using web login page in Clear Pass but apparently is not recommended. Any idea? Many Thanks
The idea is to don't get the users enrolled, users connect to the ssid, clear pass redirects the authentication to Azure AD SSO and it will reply with a token basically saying "Yes" or "No" , then clear pass will grant access and allocate the user in the proper vlan. Talking with one of the Aruba presales Engineers apparently this is possible without the onboard license using a weblogin page in Clear pass, but i cannot find any documentation....so not sure. Many thanks
This is doable except for assigning different VLANs.
Unfortunately when a device is connected to a captive portal type wireless access , the device is not able to detect the VLAN change and think it still on the original VLAN that was assigned when it landed on the captive portal role.
Best is to keep the same VLAN and then assign different user-roles to determine the type of access the user/device will get.
To do the SSO portion, you will need to configure an enterprise application in Azure to use SAML and define in ClearPass the application that will use SSO as well as the application authorization service.
Edit the SAML signing certificate and create a new certificate and make sure to make it active
Download the certificate (Base64) and upload it to the ClearPass trust list and then map it out as the IdP Signing Certificate in the CPPM SSO config
Many thanks for your help, i will try that.
Victor, can you advise on the role mapping and enforcement policies configuration please?
This guide is for onboard process, we do not have a license to perform this so wanted to use the captive portal process using SSO.
Btw, you can accomplish the same using OAUTH.
This is explained here https://whyfiplusplus.com/2020/09/27/clearpass-tiny-bite-7-clearpass-guest-social-login-with-azure-ad-part-1/
I will be writing part 2 shortly covering in details the needed config from Azure /ClearPass/Controller side.. In brief, you need to define an App on Azure and use the client ID/secret part of the social login providers in ClearPass Guest..
Thanks very much, this looks very interesting. Very much interested in the 2nd part you are writing. We basically want to setup corp users to use SSO via captive portal and permit access to the internet. This is similar to our current Guest setup albeit they use the registration process to get access to the internet rather than SSO. The corp users can then launch their VPN to gain access to the Data Centre based applications.
You may also refer the SAML Configuration Guide, especially the "ClearPass SP Configuration for Guest User Access" from page #13.
This guide was last updated in 2017, but will give you an idea of how Guest user SSO works when using ClearPass as SP.
You have to Create two services in ClearPass:
You should be able to assign the users roles/policies during the radius auth.
Thanks very much for this post, this is very helpful and i will configure this and report the results.
I have configured the saml setup via the document from page 13 but i am only seeing the application service in access tracker and not the radius request. The flow we have is User >> SSID >> Captive portal >> WebLogin with pre auth SSO. The vendor settings is set for Aruba Networks and the vendor ip address is set to point to the external DNS name of our clearpass server. I m not sure this is correct.
The vendor address should be of your Controller/WLC/Switch.
Are you using Aruba Controller/IAP?
If yes, then you may try the address as "securelogin.arubanetworks.com" if the controller/IAP is running with default certificate for captive portal server.
We use IAP but they are controlled by Aruba Central so each site has a virtual controller.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.