Security

last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Onboard with Microsoft Azure as IdP

This thread has been viewed 2 times
  • 1.  Onboard with Microsoft Azure as IdP

    Posted Oct 26, 2017 07:59 AM

    Hello community,

     

    I'm testing device onboarding with Microsoft Azure as identity provider (using OAuth 2.0). I followed the guideline "Onboard and Cloud Identity Providers" to set things up but being thrown the below error when trying to access the onboard page:

    1.PNG

    I'm not sure what field is unavailable (per the error message) and how to proceed. Really appreciate if someone can help me on this.

     

    Thank you very much,

     



  • 2.  RE: Onboard with Microsoft Azure as IdP

    Posted Oct 26, 2017 08:10 AM
    Are you being redirected as part of an Onboard flow or did you just manually go to it in your browser?


  • 3.  RE: Onboard with Microsoft Azure as IdP

    Posted Oct 26, 2017 10:23 AM

    Hi Tim,

     

    I was just browsing to the onboard page manually (typing the URL https://mydomain/guest/device_provisioning.php to my browser). Was that the problem?

     

    Thanks,



  • 4.  RE: Onboard with Microsoft Azure as IdP

    Posted Oct 26, 2017 10:26 AM
    Yes. There are parameters added during redirection that are required.


  • 5.  RE: Onboard with Microsoft Azure as IdP

    Posted Oct 26, 2017 10:33 AM

    So, I need to setup a real captive portal (pointing to onboard page) for this to work? Is that correct?

     

    I'm using a Cisco wireless controller for testing. Can this solution work with Cisco, or does it have to be an Aruba device?



  • 6.  RE: Onboard with Microsoft Azure as IdP

    Posted Oct 26, 2017 10:35 AM
    Yes. ClearPass is a multivendor product.


  • 7.  RE: Onboard with Microsoft Azure as IdP

    Posted Nov 20, 2017 10:50 PM

    Hi,

     

    We've tested SSO with Azure successfully. Now I'm planning to use Endpoint:social attributes in Endpoint repository to authorize users, in replace of LDAP. Is that possible? And have these endpoint attributes ever expired and cleaned up on CPPM?

     

    Thank you,



  • 8.  RE: Onboard with Microsoft Azure as IdP

    Posted Nov 20, 2017 10:54 PM
    Yes, you can use them in policy. They are only refreshed during a new OAuth 2.0 login event by the user on the device.


  • 9.  RE: Onboard with Microsoft Azure as IdP

    Posted Nov 21, 2017 02:04 AM

    Hi Tim,

     

    That means in case the users change their department, they have to re-onboard their devices in order to receive new attributes and new (updated) policy. Right?

     

    Thank you,



  • 10.  RE: Onboard with Microsoft Azure as IdP

    Posted Nov 21, 2017 06:13 AM

    There's a new issue I've found with SSO onboarding. Looks like it does not work with Ubuntu devices, because when I download the certificate and extract it with openssl, it complained that the import password was invalid (though I'm sure I entered the correct one). Could you please give me some advice? The number of Ubuntu users in my company are pretty high, so this is quite a serious issue.

     

    Thank you,



  • 11.  RE: Onboard with Microsoft Azure as IdP

    Posted Nov 21, 2017 08:57 AM
    Please open a TAC case.


  • 12.  RE: Onboard with Microsoft Azure as IdP

    Posted Nov 21, 2017 09:56 PM

    Hi Tim,

     

    I'll open a TAC case then (but apparently h10145.www.hpe.com cannot be resolved at the moment. I cannot access this page after login to cf.passport.hpe.com).

     

    Return to my previous question. If I use Endpoint:social attributes for authorization and a user changes his department, he will need to re-onboard (do a whole new OAuth transaction) in order to receive the updated attributes and policy. Right?

     

    Thank you,



  • 13.  RE: Onboard with Microsoft Azure as IdP

    Posted Nov 21, 2017 09:59 PM
    Correct. You could build a workflow that has a basic web login setup that would occasionally redirect the user to re-validate their credentials which would update the information.


  • 14.  RE: Onboard with Microsoft Azure as IdP

    Posted Nov 22, 2017 11:55 PM

    About Ubuntu issue when onboarding with SSO, my temporary solution is to use normal onboarding flow for Ubuntu, and SSO onboarding for other devices.