Security

Hi AirHeads,

I just started a small PoC with ClearPass at one of my clients, He would like to create 802.1x in front of his employees DB located behind G-Suite (Google Services)

I follow the guides in order to create the G-Suite as a auth source,And i even can scan the group/user/tree from the CPPM
Screenshot:



, But when i was trying to create 802.1x (U/P) networks based on that auth sources..user auth keeps failed. (Even due user is not failing in front of the G-Suite auth)

A. Should it work? (And if Yes,Is there any doc about it ?
B. Is on SAML/OAUTH2 with CP ONBOARD is possible?
C. any tip regarding this manner of connecting G-Suite to CPPM in order to auth 802.1x in front of it will be lovely ..Agian ...If its possible at all.

Thanks.

Me

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.
------------------------------

EAP-TLS is required for cloud identity providers. The Google Secure LDAP extension is supported for authorization only.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Jul 06, 2021 10:11 AM
From: Asa Birenbaum
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Hi AirHeads,

I just started a small PoC with ClearPass at one of my clients, He would like to create 802.1x in front of his employees DB located behind G-Suite (Google Services)

I follow the guides in order to create the G-Suite as a auth source,And i even can scan the group/user/tree from the CPPM
Screenshot:

, But when i was trying to create 802.1x (U/P) networks based on that auth sources..user auth keeps failed. (Even due user is not failing in front of the G-Suite auth)

A. Should it work? (And if Yes,Is there any doc about it ?
B. Is on SAML/OAUTH2 with CP ONBOARD is possible?
C. any tip regarding this manner of connecting G-Suite to CPPM in order to auth 802.1x in front of it will be lovely ..Agian ...If its possible at all.

Thanks.

Me

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.
------------------------------

Thanks for the fast response,
So the cert should arrived from Google or the CPPM itself?

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.
------------------------------

Original Message:
Sent: Jul 06, 2021 10:27 AM
From: Tim C
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

EAP-TLS is required for cloud identity providers. The Google Secure LDAP extension is supported for authorization only.

------------------------------
Tim C

Original Message:
Sent: Jul 06, 2021 10:11 AM
From: Asa Birenbaum
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Hi AirHeads,

I just started a small PoC with ClearPass at one of my clients, He would like to create 802.1x in front of his employees DB located behind G-Suite (Google Services)

I follow the guides in order to create the G-Suite as a auth source,And i even can scan the group/user/tree from the CPPM
Screenshot:

, But when i was trying to create 802.1x (U/P) networks based on that auth sources..user auth keeps failed. (Even due user is not failing in front of the G-Suite auth)

A. Should it work? (And if Yes,Is there any doc about it ?
B. Is on SAML/OAUTH2 with CP ONBOARD is possible?
C. any tip regarding this manner of connecting G-Suite to CPPM in order to auth 802.1x in front of it will be lovely ..Agian ...If its possible at all.

Thanks.

Me

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.
------------------------------

For managed devices, it should come via the EMM. For unmanaged devices, users can enroll using CPPM Onboard or another solution.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Jul 06, 2021 11:05 AM
From: Asa Birenbaum
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Thanks for the fast response,
So the cert should arrived from Google or the CPPM itself?

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.

Original Message:
Sent: Jul 06, 2021 10:27 AM
From: Tim C
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

EAP-TLS is required for cloud identity providers. The Google Secure LDAP extension is supported for authorization only.

------------------------------
Tim C

Original Message:
Sent: Jul 06, 2021 10:11 AM
From: Asa Birenbaum
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Hi AirHeads,

I just started a small PoC with ClearPass at one of my clients, He would like to create 802.1x in front of his employees DB located behind G-Suite (Google Services)

I follow the guides in order to create the G-Suite as a auth source,And i even can scan the group/user/tree from the CPPM
Screenshot:

, But when i was trying to create 802.1x (U/P) networks based on that auth sources..user auth keeps failed. (Even due user is not failing in front of the G-Suite auth)

A. Should it work? (And if Yes,Is there any doc about it ?
B. Is on SAML/OAUTH2 with CP ONBOARD is possible?
C. any tip regarding this manner of connecting G-Suite to CPPM in order to auth 802.1x in front of it will be lovely ..Agian ...If its possible at all.

Thanks.

Me

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.
------------------------------

It is possible with onboarding.   You can't use Google Secure LDAP for direct 802.1x.  But can use it as authentication source for onboarding process and then use EAP-TLS  (Clearpass as CA) and  G. SLDAP for authorisation.

------------------------------
Asela Abhayapala
------------------------------

Original Message:
Sent: Jul 06, 2021 10:11 AM
From: Asa Birenbaum
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Hi AirHeads,

I just started a small PoC with ClearPass at one of my clients, He would like to create 802.1x in front of his employees DB located behind G-Suite (Google Services)

I follow the guides in order to create the G-Suite as a auth source,And i even can scan the group/user/tree from the CPPM
Screenshot:

, But when i was trying to create 802.1x (U/P) networks based on that auth sources..user auth keeps failed. (Even due user is not failing in front of the G-Suite auth)

A. Should it work? (And if Yes,Is there any doc about it ?
B. Is on SAML/OAUTH2 with CP ONBOARD is possible?
C. any tip regarding this manner of connecting G-Suite to CPPM in order to auth 802.1x in front of it will be lovely ..Agian ...If its possible at all.

Thanks.

Me

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.
------------------------------

Short update regarding the PoC im demonstrating, Based on the info @Asela and @timms sent my in the previous threads , I was able to Connect  users and verify and auth their account on google via cppm onboard  (Than they got CERT + Profile) , And created the OnBoard process on iOS and PC , But when the profile is being tried to being pushed the the client device (MAC to WINDOWS) im getting strange errors:


Anyone can please advise , what might be the cause of such an errors , and how to overcome them - it's the last stage before i will finish the PoC and the client will be the CPPM as an added value for his current Aruba deployment.

Thanks in advance to who that might assist me with some tips  / guide, walktrough to solve these errors.


BTW: Attached error log of Windows (PC) User:

Client Log
==========
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.QuickConnectDlg - Starting configuration.
2021-07-08 14:15:16,508 [main] DEBUG changelog - Starting configuration for secure network connections.
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.Util - Attempting operating system detection.
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.Util - running Windows Enterprise Version
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Util - Detected operating system higher than Windows XP
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.WlanApi - Initializing wlan api.
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Config - Initing configuration.
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Config - QuickConnect Mode isonboard
2021-07-08 14:15:17,229 [main] DEBUG Quick1X.QuickConnectDlg - Calling javascript method : updateWorkingDirectory
2021-07-08 14:15:19,730 [main] DEBUG Quick1X.QuickConnectDlg - Calling javascript method : updateQcMode
2021-07-08 14:15:19,756 [main] DEBUG Quick1X.QuickConnectDlg - Processing configure
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Processsing configure task
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Fetching the configuration and certificate from the Onboard Server
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Initing device info
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.DeviceInfo - Starting interface detection
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.Util - Running config task as logged in user
2021-07-08 14:15:19,911 [null] DEBUG Quick1X.Util - Exit code from execed process 0
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :6
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Trying to filter (Unicode) :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Adapter GUID:75989E59-A656-40D4-A04C-4C226B8137C8
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Description: Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Name: Ethernet
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - State: DISCONNECTED
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DHCP : Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DNS Registration: Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DNS by DHCP: Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - MAC Address: C8:F7:50:10:8D:97
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface type : Wired
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :1
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter (Unicode) :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Adapter GUID:8AEA6876-6590-4FA7-A239-572C324BD1B4
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Description: Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Name: Wi-Fi
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - State: CONNECTED
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DHCP : Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DNS Registration: Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DNS by DHCP: Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - MAC Address: 50:76:AF:19:8C:50
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface type : Wireless
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :6
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Software Loopback Interface 1
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :24
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :1
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Downloading device credentials from the Onboard server - https://cppmdemo.2plus.co.il/onboard/mdps_qc_enroll.php
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Checking whether bypass proxy is false or true
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Bypass proxy is false
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Onboard server Host Name cppmdemo.2plus.co.il
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Onboard server URL Path /onboard/mdps_qc_enroll.php

2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Retrieving value of Validate-Server-Certificate option
2021-07-08 14:15:19,926 [null] INFO  Quick1X.QuickConnectDlg - Disabling Onboard server certificate validation
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Detected Windows version - Windows 10
2021-07-08 14:15:20,178 [null] ERROR Quick1X.QuickConnectDlg - Received error HTTP Status code - 403
2021-07-08 14:15:20,178 [null] DEBUG Quick1X.Util - Running config task as logged in user

Script Log
==========
08/07/2021 13:23:17   Adapter type detect starting
08/07/2021 13:23:17   Intel(R) Ethernet Connection (4) I219-LM  Type: 0
08/07/2021 13:23:17   Intel(R) Dual Band Wireless-AC 8265  Type: 9
08/07/2021 13:23:17   Bluetooth Device (Personal Area Network)  Type: 10
08/07/2021 13:23:17   Microsoft Wi-Fi Direct Virtual Adapter  Type: 9
08/07/2021 13:23:17   Microsoft Wi-Fi Direct Virtual Adapter #2  Type: 9
08/07/2021 14:15:19   Adapter type detect starting
08/07/2021 14:15:19   Intel(R) Ethernet Connection (4) I219-LM  Type: 0
08/07/2021 14:15:19   Intel(R) Dual Band Wireless-AC 8265  Type: 9
08/07/2021 14:15:19   Bluetooth Device (Personal Area Network)  Type: 10
08/07/2021 14:15:19   Microsoft Wi-Fi Direct Virtual Adapter  Type: 9
08/07/2021 14:15:19   Microsoft Wi-Fi Direct Virtual Adapter #2  Type: 9

Helper Log
==========

​​​

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.
------------------------------

Original Message:
Sent: Jul 07, 2021 07:34 PM
From: Asela Abhayapala
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

It is possible with onboarding.   You can't use Google Secure LDAP for direct 802.1x.  But can use it as authentication source for onboarding process and then use EAP-TLS  (Clearpass as CA) and  G. SLDAP for authorisation.

------------------------------
Asela Abhayapala

Original Message:
Sent: Jul 06, 2021 10:11 AM
From: Asa Birenbaum
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Hi AirHeads,

I just started a small PoC with ClearPass at one of my clients, He would like to create 802.1x in front of his employees DB located behind G-Suite (Google Services)

I follow the guides in order to create the G-Suite as a auth source,And i even can scan the group/user/tree from the CPPM
Screenshot:

, But when i was trying to create 802.1x (U/P) networks based on that auth sources..user auth keeps failed. (Even due user is not failing in front of the G-Suite auth)

A. Should it work? (And if Yes,Is there any doc about it ?
B. Is on SAML/OAUTH2 with CP ONBOARD is possible?
C. any tip regarding this manner of connecting G-Suite to CPPM in order to auth 802.1x in front of it will be lovely ..Agian ...If its possible at all.

Thanks.

Me

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.
------------------------------

What does the CPG application log show?

------------------------------
Tim C
------------------------------

Original Message:
Sent: Jul 13, 2021 04:47 AM
From: Asa Birenbaum
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Short update regarding the PoC im demonstrating, Based on the info @Asela and @timms sent my in the previous threads , I was able to Connect  users and verify and auth their account on google via cppm onboard  (Than they got CERT + Profile) , And created the OnBoard process on iOS and PC , But when the profile is being tried to being pushed the the client device (MAC to WINDOWS) im getting strange errors:

Anyone can please advise , what might be the cause of such an errors , and how to overcome them - it's the last stage before i will finish the PoC and the client will be the CPPM as an added value for his current Aruba deployment.

Thanks in advance to who that might assist me with some tips  / guide, walktrough to solve these errors.


BTW: Attached error log of Windows (PC) User:

Client Log
==========
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.QuickConnectDlg - Starting configuration.
2021-07-08 14:15:16,508 [main] DEBUG changelog - Starting configuration for secure network connections.
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.Util - Attempting operating system detection.
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.Util - running Windows Enterprise Version
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Util - Detected operating system higher than Windows XP
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.WlanApi - Initializing wlan api.
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Config - Initing configuration.
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Config - QuickConnect Mode isonboard
2021-07-08 14:15:17,229 [main] DEBUG Quick1X.QuickConnectDlg - Calling javascript method : updateWorkingDirectory
2021-07-08 14:15:19,730 [main] DEBUG Quick1X.QuickConnectDlg - Calling javascript method : updateQcMode
2021-07-08 14:15:19,756 [main] DEBUG Quick1X.QuickConnectDlg - Processing configure
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Processsing configure task
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Fetching the configuration and certificate from the Onboard Server
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Initing device info
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.DeviceInfo - Starting interface detection
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.Util - Running config task as logged in user
2021-07-08 14:15:19,911 [null] DEBUG Quick1X.Util - Exit code from execed process 0
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :6
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Trying to filter (Unicode) :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Adapter GUID:75989E59-A656-40D4-A04C-4C226B8137C8
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Description: Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Name: Ethernet
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - State: DISCONNECTED
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DHCP : Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DNS Registration: Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DNS by DHCP: Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - MAC Address: C8:F7:50:10:8D:97
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface type : Wired
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :1
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter (Unicode) :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Adapter GUID:8AEA6876-6590-4FA7-A239-572C324BD1B4
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Description: Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Name: Wi-Fi
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - State: CONNECTED
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DHCP : Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DNS Registration: Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DNS by DHCP: Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - MAC Address: 50:76:AF:19:8C:50
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface type : Wireless
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :6
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Software Loopback Interface 1
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :24
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :1
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Downloading device credentials from the Onboard server - https://cppmdemo.2plus.co.il/onboard/mdps_qc_enroll.php
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Checking whether bypass proxy is false or true
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Bypass proxy is false
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Onboard server Host Name cppmdemo.2plus.co.il
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Onboard server URL Path /onboard/mdps_qc_enroll.php

2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Retrieving value of Validate-Server-Certificate option
2021-07-08 14:15:19,926 [null] INFO  Quick1X.QuickConnectDlg - Disabling Onboard server certificate validation
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Detected Windows version - Windows 10
2021-07-08 14:15:20,178 [null] ERROR Quick1X.QuickConnectDlg - Received error HTTP Status code - 403
2021-07-08 14:15:20,178 [null] DEBUG Quick1X.Util - Running config task as logged in user

Script Log
==========
08/07/2021 13:23:17   Adapter type detect starting
08/07/2021 13:23:17   Intel(R) Ethernet Connection (4) I219-LM  Type: 0
08/07/2021 13:23:17   Intel(R) Dual Band Wireless-AC 8265  Type: 9
08/07/2021 13:23:17   Bluetooth Device (Personal Area Network)  Type: 10
08/07/2021 13:23:17   Microsoft Wi-Fi Direct Virtual Adapter  Type: 9
08/07/2021 13:23:17   Microsoft Wi-Fi Direct Virtual Adapter #2  Type: 9
08/07/2021 14:15:19   Adapter type detect starting
08/07/2021 14:15:19   Intel(R) Ethernet Connection (4) I219-LM  Type: 0
08/07/2021 14:15:19   Intel(R) Dual Band Wireless-AC 8265  Type: 9
08/07/2021 14:15:19   Bluetooth Device (Personal Area Network)  Type: 10
08/07/2021 14:15:19   Microsoft Wi-Fi Direct Virtual Adapter  Type: 9
08/07/2021 14:15:19   Microsoft Wi-Fi Direct Virtual Adapter #2  Type: 9

Helper Log
==========

​​​

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.

Original Message:
Sent: Jul 07, 2021 07:34 PM
From: Asela Abhayapala
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

It is possible with onboarding.   You can't use Google Secure LDAP for direct 802.1x.  But can use it as authentication source for onboarding process and then use EAP-TLS  (Clearpass as CA) and  G. SLDAP for authorisation.

------------------------------
Asela Abhayapala

Original Message:
Sent: Jul 06, 2021 10:11 AM
From: Asa Birenbaum
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Hi AirHeads,

I just started a small PoC with ClearPass at one of my clients, He would like to create 802.1x in front of his employees DB located behind G-Suite (Google Services)

I follow the guides in order to create the G-Suite as a auth source,And i even can scan the group/user/tree from the CPPM
Screenshot:

, But when i was trying to create 802.1x (U/P) networks based on that auth sources..user auth keeps failed. (Even due user is not failing in front of the G-Suite auth)

A. Should it work? (And if Yes,Is there any doc about it ?
B. Is on SAML/OAUTH2 with CP ONBOARD is possible?
C. any tip regarding this manner of connecting G-Suite to CPPM in order to auth 802.1x in front of it will be lovely ..Agian ...If its possible at all.

Thanks.

Me

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.
------------------------------

Hi
You mean this log?!:


------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.
------------------------------

Original Message:
Sent: Jul 13, 2021 10:31 AM
From: Tim C
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

What does the CPG application log show?

------------------------------
Tim C

Original Message:
Sent: Jul 13, 2021 04:47 AM
From: Asa Birenbaum
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Short update regarding the PoC im demonstrating, Based on the info @Asela and @timms sent my in the previous threads , I was able to Connect  users and verify and auth their account on google via cppm onboard  (Than they got CERT + Profile) , And created the OnBoard process on iOS and PC , But when the profile is being tried to being pushed the the client device (MAC to WINDOWS) im getting strange errors:

Anyone can please advise , what might be the cause of such an errors , and how to overcome them - it's the last stage before i will finish the PoC and the client will be the CPPM as an added value for his current Aruba deployment.

Thanks in advance to who that might assist me with some tips  / guide, walktrough to solve these errors.


BTW: Attached error log of Windows (PC) User:

Client Log
==========
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.QuickConnectDlg - Starting configuration.
2021-07-08 14:15:16,508 [main] DEBUG changelog - Starting configuration for secure network connections.
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.Util - Attempting operating system detection.
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.Util - running Windows Enterprise Version
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Util - Detected operating system higher than Windows XP
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.WlanApi - Initializing wlan api.
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Config - Initing configuration.
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Config - QuickConnect Mode isonboard
2021-07-08 14:15:17,229 [main] DEBUG Quick1X.QuickConnectDlg - Calling javascript method : updateWorkingDirectory
2021-07-08 14:15:19,730 [main] DEBUG Quick1X.QuickConnectDlg - Calling javascript method : updateQcMode
2021-07-08 14:15:19,756 [main] DEBUG Quick1X.QuickConnectDlg - Processing configure
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Processsing configure task
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Fetching the configuration and certificate from the Onboard Server
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Initing device info
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.DeviceInfo - Starting interface detection
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.Util - Running config task as logged in user
2021-07-08 14:15:19,911 [null] DEBUG Quick1X.Util - Exit code from execed process 0
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :6
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Trying to filter (Unicode) :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Adapter GUID:75989E59-A656-40D4-A04C-4C226B8137C8
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Description: Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Name: Ethernet
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - State: DISCONNECTED
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DHCP : Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DNS Registration: Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DNS by DHCP: Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - MAC Address: C8:F7:50:10:8D:97
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface type : Wired
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :1
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter (Unicode) :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Adapter GUID:8AEA6876-6590-4FA7-A239-572C324BD1B4
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Description: Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Name: Wi-Fi
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - State: CONNECTED
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DHCP : Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DNS Registration: Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DNS by DHCP: Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - MAC Address: 50:76:AF:19:8C:50
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface type : Wireless
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :6
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Software Loopback Interface 1
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :24
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :1
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Downloading device credentials from the Onboard server - https://cppmdemo.2plus.co.il/onboard/mdps_qc_enroll.php
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Checking whether bypass proxy is false or true
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Bypass proxy is false
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Onboard server Host Name cppmdemo.2plus.co.il
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Onboard server URL Path /onboard/mdps_qc_enroll.php

2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Retrieving value of Validate-Server-Certificate option
2021-07-08 14:15:19,926 [null] INFO  Quick1X.QuickConnectDlg - Disabling Onboard server certificate validation
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Detected Windows version - Windows 10
2021-07-08 14:15:20,178 [null] ERROR Quick1X.QuickConnectDlg - Received error HTTP Status code - 403
2021-07-08 14:15:20,178 [null] DEBUG Quick1X.Util - Running config task as logged in user

Script Log
==========
08/07/2021 13:23:17   Adapter type detect starting
08/07/2021 13:23:17   Intel(R) Ethernet Connection (4) I219-LM  Type: 0
08/07/2021 13:23:17   Intel(R) Dual Band Wireless-AC 8265  Type: 9
08/07/2021 13:23:17   Bluetooth Device (Personal Area Network)  Type: 10
08/07/2021 13:23:17   Microsoft Wi-Fi Direct Virtual Adapter  Type: 9
08/07/2021 13:23:17   Microsoft Wi-Fi Direct Virtual Adapter #2  Type: 9
08/07/2021 14:15:19   Adapter type detect starting
08/07/2021 14:15:19   Intel(R) Ethernet Connection (4) I219-LM  Type: 0
08/07/2021 14:15:19   Intel(R) Dual Band Wireless-AC 8265  Type: 9
08/07/2021 14:15:19   Bluetooth Device (Personal Area Network)  Type: 10
08/07/2021 14:15:19   Microsoft Wi-Fi Direct Virtual Adapter  Type: 9
08/07/2021 14:15:19   Microsoft Wi-Fi Direct Virtual Adapter #2  Type: 9

Helper Log
==========

​​​

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.

Original Message:
Sent: Jul 07, 2021 07:34 PM
From: Asela Abhayapala
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

It is possible with onboarding.   You can't use Google Secure LDAP for direct 802.1x.  But can use it as authentication source for onboarding process and then use EAP-TLS  (Clearpass as CA) and  G. SLDAP for authorisation.

------------------------------
Asela Abhayapala

Original Message:
Sent: Jul 06, 2021 10:11 AM
From: Asa Birenbaum
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Hi AirHeads,

I just started a small PoC with ClearPass at one of my clients, He would like to create 802.1x in front of his employees DB located behind G-Suite (Google Services)

I follow the guides in order to create the G-Suite as a auth source,And i even can scan the group/user/tree from the CPPM
Screenshot:

, But when i was trying to create 802.1x (U/P) networks based on that auth sources..user auth keeps failed. (Even due user is not failing in front of the G-Suite auth)

A. Should it work? (And if Yes,Is there any doc about it ?
B. Is on SAML/OAUTH2 with CP ONBOARD is possible?
C. any tip regarding this manner of connecting G-Suite to CPPM in order to auth 802.1x in front of it will be lovely ..Agian ...If its possible at all.

Thanks.

Me

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.
------------------------------

Do you have a trusted public certificate on your ClearPass server(s)? If not, get one and test again. In my experience, IOS will reject profiles unless sent over a trusted HTTPS connection.

It really is not worth the effort to try to get things to work without a trusted public certificate.

Also, first try Onboarding with a local account, for which you know it works. If it works there, switch to SAML/OAuth2 SSO.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 13, 2021 04:47 AM
From: Asa Birenbaum
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Short update regarding the PoC im demonstrating, Based on the info @Asela and @timms sent my in the previous threads , I was able to Connect  users and verify and auth their account on google via cppm onboard  (Than they got CERT + Profile) , And created the OnBoard process on iOS and PC , But when the profile is being tried to being pushed the the client device (MAC to WINDOWS) im getting strange errors:

Anyone can please advise , what might be the cause of such an errors , and how to overcome them - it's the last stage before i will finish the PoC and the client will be the CPPM as an added value for his current Aruba deployment.

Thanks in advance to who that might assist me with some tips  / guide, walktrough to solve these errors.


BTW: Attached error log of Windows (PC) User:

Client Log
==========
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.QuickConnectDlg - Starting configuration.
2021-07-08 14:15:16,508 [main] DEBUG changelog - Starting configuration for secure network connections.
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.Util - Attempting operating system detection.
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.Util - running Windows Enterprise Version
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Util - Detected operating system higher than Windows XP
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.WlanApi - Initializing wlan api.
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Config - Initing configuration.
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Config - QuickConnect Mode isonboard
2021-07-08 14:15:17,229 [main] DEBUG Quick1X.QuickConnectDlg - Calling javascript method : updateWorkingDirectory
2021-07-08 14:15:19,730 [main] DEBUG Quick1X.QuickConnectDlg - Calling javascript method : updateQcMode
2021-07-08 14:15:19,756 [main] DEBUG Quick1X.QuickConnectDlg - Processing configure
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Processsing configure task
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Fetching the configuration and certificate from the Onboard Server
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Initing device info
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.DeviceInfo - Starting interface detection
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.Util - Running config task as logged in user
2021-07-08 14:15:19,911 [null] DEBUG Quick1X.Util - Exit code from execed process 0
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :6
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Trying to filter (Unicode) :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Adapter GUID:75989E59-A656-40D4-A04C-4C226B8137C8
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Description: Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Name: Ethernet
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - State: DISCONNECTED
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DHCP : Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DNS Registration: Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DNS by DHCP: Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - MAC Address: C8:F7:50:10:8D:97
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface type : Wired
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :1
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter (Unicode) :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Adapter GUID:8AEA6876-6590-4FA7-A239-572C324BD1B4
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Description: Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Name: Wi-Fi
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - State: CONNECTED
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DHCP : Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DNS Registration: Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DNS by DHCP: Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - MAC Address: 50:76:AF:19:8C:50
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface type : Wireless
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :6
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Software Loopback Interface 1
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :24
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :1
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Downloading device credentials from the Onboard server - https://cppmdemo.2plus.co.il/onboard/mdps_qc_enroll.php
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Checking whether bypass proxy is false or true
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Bypass proxy is false
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Onboard server Host Name cppmdemo.2plus.co.il
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Onboard server URL Path /onboard/mdps_qc_enroll.php

2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Retrieving value of Validate-Server-Certificate option
2021-07-08 14:15:19,926 [null] INFO  Quick1X.QuickConnectDlg - Disabling Onboard server certificate validation
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Detected Windows version - Windows 10
2021-07-08 14:15:20,178 [null] ERROR Quick1X.QuickConnectDlg - Received error HTTP Status code - 403
2021-07-08 14:15:20,178 [null] DEBUG Quick1X.Util - Running config task as logged in user

Script Log
==========
08/07/2021 13:23:17   Adapter type detect starting
08/07/2021 13:23:17   Intel(R) Ethernet Connection (4) I219-LM  Type: 0
08/07/2021 13:23:17   Intel(R) Dual Band Wireless-AC 8265  Type: 9
08/07/2021 13:23:17   Bluetooth Device (Personal Area Network)  Type: 10
08/07/2021 13:23:17   Microsoft Wi-Fi Direct Virtual Adapter  Type: 9
08/07/2021 13:23:17   Microsoft Wi-Fi Direct Virtual Adapter #2  Type: 9
08/07/2021 14:15:19   Adapter type detect starting
08/07/2021 14:15:19   Intel(R) Ethernet Connection (4) I219-LM  Type: 0
08/07/2021 14:15:19   Intel(R) Dual Band Wireless-AC 8265  Type: 9
08/07/2021 14:15:19   Bluetooth Device (Personal Area Network)  Type: 10
08/07/2021 14:15:19   Microsoft Wi-Fi Direct Virtual Adapter  Type: 9
08/07/2021 14:15:19   Microsoft Wi-Fi Direct Virtual Adapter #2  Type: 9

Helper Log
==========

​​​

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.

Original Message:
Sent: Jul 07, 2021 07:34 PM
From: Asela Abhayapala
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

It is possible with onboarding.   You can't use Google Secure LDAP for direct 802.1x.  But can use it as authentication source for onboarding process and then use EAP-TLS  (Clearpass as CA) and  G. SLDAP for authorisation.

------------------------------
Asela Abhayapala

Original Message:
Sent: Jul 06, 2021 10:11 AM
From: Asa Birenbaum
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Hi AirHeads,

I just started a small PoC with ClearPass at one of my clients, He would like to create 802.1x in front of his employees DB located behind G-Suite (Google Services)

I follow the guides in order to create the G-Suite as a auth source,And i even can scan the group/user/tree from the CPPM
Screenshot:

, But when i was trying to create 802.1x (U/P) networks based on that auth sources..user auth keeps failed. (Even due user is not failing in front of the G-Suite auth)

A. Should it work? (And if Yes,Is there any doc about it ?
B. Is on SAML/OAUTH2 with CP ONBOARD is possible?
C. any tip regarding this manner of connecting G-Suite to CPPM in order to auth 802.1x in front of it will be lovely ..Agian ...If its possible at all.

Thanks.

Me

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.
------------------------------

Hi
Thanks for the tip,BUT,

The onboard process done with public signed cert that were deployed on the cppm and used during the onboarding process.
on IOS it's marked as verified and also the onboard profile marked with green verified.


But i guess it's something i missed or something  in the service i built based on the SAML/OAUTH2 Guide, (Attached to this post as a PDF)

Because when i create ONBOARD service from the wizard it's seems to be working :) But yet i dunno , why...it's got back user without any fitted service before i created one with the wizard...



------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.
------------------------------

Original Message:
Sent: Jul 16, 2021 09:49 AM
From: Herman Robers
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Do you have a trusted public certificate on your ClearPass server(s)? If not, get one and test again. In my experience, IOS will reject profiles unless sent over a trusted HTTPS connection.

It really is not worth the effort to try to get things to work without a trusted public certificate.

Also, first try Onboarding with a local account, for which you know it works. If it works there, switch to SAML/OAuth2 SSO.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 13, 2021 04:47 AM
From: Asa Birenbaum
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Short update regarding the PoC im demonstrating, Based on the info @Asela and @timms sent my in the previous threads , I was able to Connect  users and verify and auth their account on google via cppm onboard  (Than they got CERT + Profile) , And created the OnBoard process on iOS and PC , But when the profile is being tried to being pushed the the client device (MAC to WINDOWS) im getting strange errors:

Anyone can please advise , what might be the cause of such an errors , and how to overcome them - it's the last stage before i will finish the PoC and the client will be the CPPM as an added value for his current Aruba deployment.

Thanks in advance to who that might assist me with some tips  / guide, walktrough to solve these errors.


BTW: Attached error log of Windows (PC) User:

Client Log
==========
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.QuickConnectDlg - Starting configuration.
2021-07-08 14:15:16,508 [main] DEBUG changelog - Starting configuration for secure network connections.
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.Util - Attempting operating system detection.
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.Util - running Windows Enterprise Version
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Util - Detected operating system higher than Windows XP
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.WlanApi - Initializing wlan api.
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Config - Initing configuration.
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Config - QuickConnect Mode isonboard
2021-07-08 14:15:17,229 [main] DEBUG Quick1X.QuickConnectDlg - Calling javascript method : updateWorkingDirectory
2021-07-08 14:15:19,730 [main] DEBUG Quick1X.QuickConnectDlg - Calling javascript method : updateQcMode
2021-07-08 14:15:19,756 [main] DEBUG Quick1X.QuickConnectDlg - Processing configure
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Processsing configure task
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Fetching the configuration and certificate from the Onboard Server
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Initing device info
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.DeviceInfo - Starting interface detection
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.Util - Running config task as logged in user
2021-07-08 14:15:19,911 [null] DEBUG Quick1X.Util - Exit code from execed process 0
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :6
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Trying to filter (Unicode) :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Adapter GUID:75989E59-A656-40D4-A04C-4C226B8137C8
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Description: Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Name: Ethernet
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - State: DISCONNECTED
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DHCP : Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DNS Registration: Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DNS by DHCP: Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - MAC Address: C8:F7:50:10:8D:97
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface type : Wired
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :1
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter (Unicode) :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Adapter GUID:8AEA6876-6590-4FA7-A239-572C324BD1B4
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Description: Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Name: Wi-Fi
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - State: CONNECTED
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DHCP : Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DNS Registration: Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DNS by DHCP: Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - MAC Address: 50:76:AF:19:8C:50
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface type : Wireless
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :6
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Software Loopback Interface 1
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :24
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :1
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Downloading device credentials from the Onboard server - https://cppmdemo.2plus.co.il/onboard/mdps_qc_enroll.php
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Checking whether bypass proxy is false or true
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Bypass proxy is false
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Onboard server Host Name cppmdemo.2plus.co.il
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Onboard server URL Path /onboard/mdps_qc_enroll.php

2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Retrieving value of Validate-Server-Certificate option
2021-07-08 14:15:19,926 [null] INFO  Quick1X.QuickConnectDlg - Disabling Onboard server certificate validation
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Detected Windows version - Windows 10
2021-07-08 14:15:20,178 [null] ERROR Quick1X.QuickConnectDlg - Received error HTTP Status code - 403
2021-07-08 14:15:20,178 [null] DEBUG Quick1X.Util - Running config task as logged in user

Script Log
==========
08/07/2021 13:23:17   Adapter type detect starting
08/07/2021 13:23:17   Intel(R) Ethernet Connection (4) I219-LM  Type: 0
08/07/2021 13:23:17   Intel(R) Dual Band Wireless-AC 8265  Type: 9
08/07/2021 13:23:17   Bluetooth Device (Personal Area Network)  Type: 10
08/07/2021 13:23:17   Microsoft Wi-Fi Direct Virtual Adapter  Type: 9
08/07/2021 13:23:17   Microsoft Wi-Fi Direct Virtual Adapter #2  Type: 9
08/07/2021 14:15:19   Adapter type detect starting
08/07/2021 14:15:19   Intel(R) Ethernet Connection (4) I219-LM  Type: 0
08/07/2021 14:15:19   Intel(R) Dual Band Wireless-AC 8265  Type: 9
08/07/2021 14:15:19   Bluetooth Device (Personal Area Network)  Type: 10
08/07/2021 14:15:19   Microsoft Wi-Fi Direct Virtual Adapter  Type: 9
08/07/2021 14:15:19   Microsoft Wi-Fi Direct Virtual Adapter #2  Type: 9

Helper Log
==========

​​​

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.

Original Message:
Sent: Jul 07, 2021 07:34 PM
From: Asela Abhayapala
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

It is possible with onboarding.   You can't use Google Secure LDAP for direct 802.1x.  But can use it as authentication source for onboarding process and then use EAP-TLS  (Clearpass as CA) and  G. SLDAP for authorisation.

------------------------------
Asela Abhayapala

Original Message:
Sent: Jul 06, 2021 10:11 AM
From: Asa Birenbaum
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Hi AirHeads,

I just started a small PoC with ClearPass at one of my clients, He would like to create 802.1x in front of his employees DB located behind G-Suite (Google Services)

I follow the guides in order to create the G-Suite as a auth source,And i even can scan the group/user/tree from the CPPM
Screenshot:

, But when i was trying to create 802.1x (U/P) networks based on that auth sources..user auth keeps failed. (Even due user is not failing in front of the G-Suite auth)

A. Should it work? (And if Yes,Is there any doc about it ?
B. Is on SAML/OAUTH2 with CP ONBOARD is possible?
C. any tip regarding this manner of connecting G-Suite to CPPM in order to auth 802.1x in front of it will be lovely ..Agian ...If its possible at all.

Thanks.

Me

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.
------------------------------

The Onboard Authorization service is missing. Create it manually or use the wizard / service template.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Jul 16, 2021 12:05 PM
From: Asa Birenbaum
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Hi
Thanks for the tip,BUT,

The onboard process done with public signed cert that were deployed on the cppm and used during the onboarding process.
on IOS it's marked as verified and also the onboard profile marked with green verified.

But i guess it's something i missed or something  in the service i built based on the SAML/OAUTH2 Guide, (Attached to this post as a PDF)

Because when i create ONBOARD service from the wizard it's seems to be working :) But yet i dunno , why...it's got back user without any fitted service before i created one with the wizard...

I still hope , Some Airheads & CPPM guru will be able to assist me to figure , What did i missed.

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.

Original Message:
Sent: Jul 16, 2021 09:49 AM
From: Herman Robers
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Do you have a trusted public certificate on your ClearPass server(s)? If not, get one and test again. In my experience, IOS will reject profiles unless sent over a trusted HTTPS connection.

It really is not worth the effort to try to get things to work without a trusted public certificate.

Also, first try Onboarding with a local account, for which you know it works. If it works there, switch to SAML/OAuth2 SSO.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 13, 2021 04:47 AM
From: Asa Birenbaum
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Short update regarding the PoC im demonstrating, Based on the info @Asela and @timms sent my in the previous threads , I was able to Connect  users and verify and auth their account on google via cppm onboard  (Than they got CERT + Profile) , And created the OnBoard process on iOS and PC , But when the profile is being tried to being pushed the the client device (MAC to WINDOWS) im getting strange errors:

Anyone can please advise , what might be the cause of such an errors , and how to overcome them - it's the last stage before i will finish the PoC and the client will be the CPPM as an added value for his current Aruba deployment.

Thanks in advance to who that might assist me with some tips  / guide, walktrough to solve these errors.


BTW: Attached error log of Windows (PC) User:

Client Log
==========
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.QuickConnectDlg - Starting configuration.
2021-07-08 14:15:16,508 [main] DEBUG changelog - Starting configuration for secure network connections.
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.Util - Attempting operating system detection.
2021-07-08 14:15:16,508 [main] DEBUG Quick1X.Util - running Windows Enterprise Version
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Util - Detected operating system higher than Windows XP
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.WlanApi - Initializing wlan api.
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Config - Initing configuration.
2021-07-08 14:15:16,509 [main] DEBUG Quick1X.Config - QuickConnect Mode isonboard
2021-07-08 14:15:17,229 [main] DEBUG Quick1X.QuickConnectDlg - Calling javascript method : updateWorkingDirectory
2021-07-08 14:15:19,730 [main] DEBUG Quick1X.QuickConnectDlg - Calling javascript method : updateQcMode
2021-07-08 14:15:19,756 [main] DEBUG Quick1X.QuickConnectDlg - Processing configure
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Processsing configure task
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Fetching the configuration and certificate from the Onboard Server
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.QuickConnectDlg - Initing device info
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.DeviceInfo - Starting interface detection
2021-07-08 14:15:19,757 [null] DEBUG Quick1X.Util - Running config task as logged in user
2021-07-08 14:15:19,911 [null] DEBUG Quick1X.Util - Exit code from execed process 0
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :6
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Trying to filter (Unicode) :Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Adapter GUID:75989E59-A656-40D4-A04C-4C226B8137C8
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Description: Intel(R) Ethernet Connection (4) I219-LM
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - Name: Ethernet
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - State: DISCONNECTED
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DHCP : Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DNS Registration: Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - DNS by DHCP: Enabled
2021-07-08 14:15:19,924 [null] DEBUG Quick1X.DeviceInfo - MAC Address: C8:F7:50:10:8D:97
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface type : Wired
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Microsoft Wi-Fi Direct Virtual Adapter
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Microsoft Wi-Fi Direct Virtual Adapter #2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :71
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :1
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter (Unicode) :Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Adapter GUID:8AEA6876-6590-4FA7-A239-572C324BD1B4
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Description: Intel(R) Dual Band Wireless-AC 8265
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Name: Wi-Fi
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - State: CONNECTED
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DHCP : Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DNS Registration: Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - DNS by DHCP: Enabled
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - MAC Address: 50:76:AF:19:8C:50
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface type : Wireless
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :6
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :2
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Bluetooth Device (Personal Area Network)
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Software Loopback Interface 1
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface Type     :24
2021-07-08 14:15:19,925 [null] DEBUG Quick1X.DeviceInfo - Interface state    :1
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Downloading device credentials from the Onboard server - https://cppmdemo.2plus.co.il/onboard/mdps_qc_enroll.php
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Checking whether bypass proxy is false or true
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Bypass proxy is false
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Onboard server Host Name cppmdemo.2plus.co.il
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Onboard server URL Path /onboard/mdps_qc_enroll.php

2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Retrieving value of Validate-Server-Certificate option
2021-07-08 14:15:19,926 [null] INFO  Quick1X.QuickConnectDlg - Disabling Onboard server certificate validation
2021-07-08 14:15:19,926 [null] DEBUG Quick1X.QuickConnectDlg - Detected Windows version - Windows 10
2021-07-08 14:15:20,178 [null] ERROR Quick1X.QuickConnectDlg - Received error HTTP Status code - 403
2021-07-08 14:15:20,178 [null] DEBUG Quick1X.Util - Running config task as logged in user

Script Log
==========
08/07/2021 13:23:17   Adapter type detect starting
08/07/2021 13:23:17   Intel(R) Ethernet Connection (4) I219-LM  Type: 0
08/07/2021 13:23:17   Intel(R) Dual Band Wireless-AC 8265  Type: 9
08/07/2021 13:23:17   Bluetooth Device (Personal Area Network)  Type: 10
08/07/2021 13:23:17   Microsoft Wi-Fi Direct Virtual Adapter  Type: 9
08/07/2021 13:23:17   Microsoft Wi-Fi Direct Virtual Adapter #2  Type: 9
08/07/2021 14:15:19   Adapter type detect starting
08/07/2021 14:15:19   Intel(R) Ethernet Connection (4) I219-LM  Type: 0
08/07/2021 14:15:19   Intel(R) Dual Band Wireless-AC 8265  Type: 9
08/07/2021 14:15:19   Bluetooth Device (Personal Area Network)  Type: 10
08/07/2021 14:15:19   Microsoft Wi-Fi Direct Virtual Adapter  Type: 9
08/07/2021 14:15:19   Microsoft Wi-Fi Direct Virtual Adapter #2  Type: 9

Helper Log
==========

​​​

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.

Original Message:
Sent: Jul 07, 2021 07:34 PM
From: Asela Abhayapala
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

It is possible with onboarding.   You can't use Google Secure LDAP for direct 802.1x.  But can use it as authentication source for onboarding process and then use EAP-TLS  (Clearpass as CA) and  G. SLDAP for authorisation.

------------------------------
Asela Abhayapala

Original Message:
Sent: Jul 06, 2021 10:11 AM
From: Asa Birenbaum
Subject: ClearPass - 802.1x In front of G-Suite with Ldap connector - is it possiabble? (using only user and password?)

Hi AirHeads,

I just started a small PoC with ClearPass at one of my clients, He would like to create 802.1x in front of his employees DB located behind G-Suite (Google Services)

I follow the guides in order to create the G-Suite as a auth source,And i even can scan the group/user/tree from the CPPM
Screenshot:

, But when i was trying to create 802.1x (U/P) networks based on that auth sources..user auth keeps failed. (Even due user is not failing in front of the G-Suite auth)

A. Should it work? (And if Yes,Is there any doc about it ?
B. Is on SAML/OAUTH2 with CP ONBOARD is possible?
C. any tip regarding this manner of connecting G-Suite to CPPM in order to auth 802.1x in front of it will be lovely ..Agian ...If its possible at all.

Thanks.

Me

------------------------------
(*) If i helped you , Please do kudos me as a thank you (*)

Aruba AirHeads - Because mobility matters.
------------------------------