Security

Hello community,

 

I'm testing device onboarding with Microsoft Azure as identity provider (using OAuth 2.0). I followed the guideline "Onboard and Cloud Identity Providers" to set things up but being thrown the below error when trying to access the onboard page:

I'm not sure what field is unavailable (per the error message) and how to proceed. Really appreciate if someone can help me on this.

 

Thank you very much,

 

Are you being redirected as part of an Onboard flow or did you just manually go to it in your browser?

Hi Tim,

 

I was just browsing to the onboard page manually (typing the URL https://mydomain/guest/device_provisioning.php to my browser). Was that the problem?

 

Thanks,

Yes. There are parameters added during redirection that are required.

So, I need to setup a real captive portal (pointing to onboard page) for this to work? Is that correct?

 

I'm using a Cisco wireless controller for testing. Can this solution work with Cisco, or does it have to be an Aruba device?

Yes. ClearPass is a multivendor product.

Hi,

 

We've tested SSO with Azure successfully. Now I'm planning to use Endpoint:social attributes in Endpoint repository to authorize users, in replace of LDAP. Is that possible? And have these endpoint attributes ever expired and cleaned up on CPPM?

 

Thank you,

Yes, you can use them in policy. They are only refreshed during a new OAuth 2.0 login event by the user on the device.

Hi Tim,

 

That means in case the users change their department, they have to re-onboard their devices in order to receive new attributes and new (updated) policy. Right?

 

Thank you,

There's a new issue I've found with SSO onboarding. Looks like it does not work with Ubuntu devices, because when I download the certificate and extract it with openssl, it complained that the import password was invalid (though I'm sure I entered the correct one). Could you please give me some advice? The number of Ubuntu users in my company are pretty high, so this is quite a serious issue.

 

Thank you,

Please open a TAC case.

Hi Tim,

 

I'll open a TAC case then (but apparently h10145.www.hpe.com cannot be resolved at the moment. I cannot access this page after login to cf.passport.hpe.com).

 

Return to my previous question. If I use Endpoint:social attributes for authorization and a user changes his department, he will need to re-onboard (do a whole new OAuth transaction) in order to receive the updated attributes and policy. Right?

 

Thank you,

Correct. You could build a workflow that has a basic web login setup that would occasionally redirect the user to re-validate their credentials which would update the information.

About Ubuntu issue when onboarding with SSO, my temporary solution is to use normal onboarding flow for Ubuntu, and SSO onboarding for other devices.