Security

last person joined: 3 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass integration with Azure AD for 802.1x auth

This thread has been viewed 28 times
  • 1.  ClearPass integration with Azure AD for 802.1x auth

    Posted Oct 15, 2021 01:50 AM
    Hello All,

    I have gone through all Aruba documents and youtube video for ClearPass integration with Azure Ad but I don't find any user friendly information on this integration.

    I have 2 questions as below

    1) how do I add Azure ad as authentication and authorization source for 802.1x authentication. It's same as on premise AD or what ?  Most of documents talk about either intune integration or clearpass onboard to provide microsoft Azure certificate. We have client certificates already installed at end devices.

    2) I want to use Clearpass Onboarding, where ClearPass will act as CA so how do I use Auzure Active Directory as authentication Source. I heard that Azure AD do not allow username password authentication.  Can we add azure ad with source in onboard services same as on premise AD or any special configuration requires in onboard services ?


  • 2.  RE: ClearPass integration with Azure AD for 802.1x auth

    Posted Oct 19, 2021 10:29 AM
    Azure AD is different than on-premise AD, which can be queried through LDAP. There are basically 5 options that I'm aware of:
    1) Use single sign-on to let the client authenticate to your Azure AD (web based) and get authorization information from the grants. Doesn't work for EAP-TLS, but does work for Onboard or Guest scenarios
    2) If the device is enrolled in Intune, use the Intune extension to get the authorization info from Intune.
    3) Use Azure AD Sync to sync to a local on-premise AD, and integrate with LDAP to there.
    4) Deploy Azure AD Directory Services, which provides LDAP connectivity direct to the Azure cloud.
    5) Use authorization attributes from the used client certificate.

    On the Onboarding scenario, that is described in detail in the Onboard and Azure Active Directory (Configuration Guide: Onboard and Cloud Identity Providers), check latest version on arubanetworks.com/clearpassdocs

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: ClearPass integration with Azure AD for 802.1x auth

    Posted Oct 26, 2021 05:27 AM
    Thanks Herman Robers.

    I have one more query as below

    My client is having BYOD requirement in such case can I use Azure AD as authentication source with clearpass onboarding , Clearpass will act as CA server and will provide clearpass certificate for BYOD devices.
    Is there any special configuration required for this or its same as on premise AD.


    ------------------------------



  • 4.  RE: ClearPass integration with Azure AD for 802.1x auth

    Posted Oct 26, 2021 05:41 AM
    Except from the use of SSO instead of local/on-prem authentication the Onboard deployment is very similar. I would even start with local/AD accounts for Onboard first, then once it works move to Azure AD as authentication method (and use the guide mentioned above for that).

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------