Security

last person joined: 2 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Using ADFS as auth source for Onboard self-service

Jump to Best Answer
This thread has been viewed 1 times
  • 1.  Using ADFS as auth source for Onboard self-service

    Posted May 06, 2020 02:23 PM

    Hello,

     

    We would like to allow our users to onboard personal devices which they would then be able to connect to a BYOD network.

     

    Is it possible for us to authenticate their access to the self-service onboard pages using ADFS? If so is there any guidance on how to do this?

     

    Many thanks,

     

    Guy



  • 2.  RE: Using ADFS as auth source for Onboard self-service

    Posted May 06, 2020 02:37 PM

    Yes you should be able to authenticate the users against AD. Just add the Authentication and Authorization sources of your AD server once you add it as a source in your On-Board Preauth and Auth services.

     

     



  • 3.  RE: Using ADFS as auth source for Onboard self-service

    Posted May 06, 2020 02:56 PM

    Thanks Dustin,

     

    I know very little about AD so this is a bit of a minefield for me! I kind of understand that ADFS is some sort of SSO layer that allows federated AD access. What I'm not really clear on is how that makes it different from AD in terms of using it as an auth source. But it sounds like I should configure it as an authentication source in the same way that I would if it was an AD server, is that right?

     

    Do I also have to add the ClearPass boxes to the AD domain or is that not necessary?

     

    Thanks for your help with this,

    Guy



  • 4.  RE: Using ADFS as auth source for Onboard self-service

    Posted May 06, 2020 03:12 PM

    Yes you want to add the clearpass servers to the domain.

     

     



  • 5.  RE: Using ADFS as auth source for Onboard self-service
    Best Answer

    Posted May 07, 2020 01:56 PM

    You do not need to connect CPPM to Active Directory Domain Services to use ADFS. That's the point of ADFS.

     

    Set up ADFS as the IdP for CPPM using SAML.

     

    You should only ever join CPPM to an AD DS domain when using legacy authentication (PEAPv0/EAP-MSCHAPv2).



  • 6.  RE: Using ADFS as auth source for Onboard self-service

    Posted May 07, 2020 07:01 PM

    Ok thank you - actually this is more what I was expecting, I worded my question poorly. I'd better update the 'solution'.

     

    I found the SSO Single Sign-On section under Identity in CPPM, I'm liaising with the chaps who run our ADFS so hopefully we can exchange info to complete this process.