Controllerless Networks

last person joined: 8 hours ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

Guest Wireless access via Azure SSO

Jump to Best Answer
  • 1.  Guest Wireless access via Azure SSO

    Posted Nov 04, 2020 10:27 AM
    Hello

    I have a request to permit guest access for corporate users using Azure AD authentication via SSO. All info I have found is for on boarding or for guest operators. How can I utilise a captive portal, using CPPM, for users to enter their Azure AD credentials and then gain internet access?

    ------------------------------
    Jeremy Smith
    ------------------------------


  • 2.  RE: Guest Wireless access via Azure SSO
    Best Answer

    Posted Nov 05, 2020 03:27 AM
    Hi,

    You can use OAUTH or SAML for this.

    I have done this using OAUTH as explained here..
    https://whyfiplusplus.com/2020/09/27/clearpass-tiny-bite-7-clearpass-guest-social-login-with-azure-ad-part-1/
    I will be documenting (how to actually configure it in details in the delayed part 2!)

    In brief, you define a web login page and define your Azure as a social login provider. You will need to create an app on Azure to get the client ID / secret)

    You will also need to define a service policy to use social logon providers.




    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 3.  RE: Guest Wireless access via Azure SSO

    Posted Nov 05, 2020 04:32 AM
    Thanks Ayman

    I assume i still did to define the pre auth on the weblogin as saml and have the SSO identity configured pointing to Azure? Also i will need a mac auth all radius service for the initial connection before it launches the weblogin?

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 4.  RE: Guest Wireless access via Azure SSO

    Posted Nov 05, 2020 05:08 AM
    The way I did it is based on OAUTH not SAML thus you don't need to configure "Pre-auth check" to SSO.
    ClearPass will be using Azure APIs to fetch attributes about the user after the user is authenticated on Azure.

    If you want to configure it using SAML, then yes you will need to set pre-auth check to SSO.

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 5.  RE: Guest Wireless access via Azure SSO

    Posted Nov 05, 2020 11:13 AM
      |   view attached
    Thanks Ayman

    Can't wait for your detailed config document! In the mean time i have configured what i think is needed but could you advise on what i need to put on the weblogin page from a vendor settings and address please? I have configured the cloud identity and set pre auth to SAML but am unsure on the rest of the settings. I have uploaded a attachment of what i need. Thanks very much

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 6.  RE: Guest Wireless access via Azure SSO

    Posted Nov 06, 2020 08:12 AM
      |   view attached
    Sorry wrong attachment! Here is the correct one.
    I also do not see Microsoft Azure as on option when using the Cloud Identity/ Social media service template. Do i unselect all the vendors and continue?

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 7.  RE: Guest Wireless access via Azure SSO

    Posted Nov 09, 2020 10:08 AM
    maybe you are in the wrong field. I have those cloud providers on my list and azure is available:



    ------------------------------
    Florian Baaske
    ------------------------------



  • 8.  RE: Guest Wireless access via Azure SSO

    Posted Nov 09, 2020 10:13 AM
    Hi Florian

    Yes i have selected Microsoft Azure in the cloud identity within the web login but it's not an option when trying to create the service as only google, linkedin, twitter and facebook are options for the social repository. This is when using the Cloud Identity/ Social login service template.

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 9.  RE: Guest Wireless access via Azure SSO

    Posted Nov 10, 2020 10:17 AM
    Hi, 

    have you looked into this document? 

    https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=18612#bm47eca527-257c-411a-b292-a007ffdaf7fc

    I think this should answer your questions.

    ------------------------------
    Florian Baaske
    ------------------------------



  • 10.  RE: Guest Wireless access via Azure SSO

    Posted Nov 10, 2020 10:27 AM
    Hi Florian

    Yes i have used the document but am still having issue while testing. We get a blank web page asking to 'connect to the internet' after our tester clicks on the Azure AD button on the captive portal page.

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 11.  RE: Guest Wireless access via Azure SSO

    Posted Nov 10, 2020 10:34 AM
    Could it be, that you did not whitelisted the Azure URL's in order to be allowed before authentication? I think those whitelist URL's are also included in the document above.

    ------------------------------
    Florian Baaske
    ------------------------------



  • 12.  RE: Guest Wireless access via Azure SSO

    Posted Nov 10, 2020 10:44 AM
      |   view attached
    We use Aruba Central to manage our Access Points and i have configured a pre auth Role that enforces captive portal and deny any to any. Should i permit access via https to domain login.microsoftonline.com* ? There is no option in the Aruba Central roles for url access. I have uploaded a screen shot to help.

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 13.  RE: Guest Wireless access via Azure SSO

    Posted Nov 10, 2020 10:37 AM
    Hi Jeremy,

    I just posted the How To Guide here https://whyfiplusplus.com/2020/11/10/clearpass-tiny-bite-8-clearpass-guest-social-login-with-azure-ad-part-2/

    Please check it..In brief, the Service template will only show you specific options like Facebook, Linkedin..You will need to edit the enforcement policy manually...

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 14.  RE: Guest Wireless access via Azure SSO

    Posted Nov 10, 2020 10:58 AM
    Thanks very much Ayman! Hopefully one last question... i use Aruba Central rather than a controller so would the access lists work the same? As you can see in my post to Florian above shows the options for the role access list in central.

    Thanks again

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 15.  RE: Guest Wireless access via Azure SSO

    Posted Nov 10, 2020 12:01 PM
    Hi,

    Did you try to whitelist the domains using the wall-garden option?

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 16.  RE: Guest Wireless access via Azure SSO

    Posted Nov 10, 2020 12:08 PM
    Walled-Garden is not supported in IAP 6.5.4 + and have been replaced by the domain ACL option within the roles. Looks like a very large list for me then :-)

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 17.  RE: Guest Wireless access via Azure SSO

    Posted Nov 17, 2020 05:05 AM
    Hi Ayman

    I have this all working now in one of my offices, the issue i have now is that another office is not working. They can't resolve the vendor address even though the other office can. The only difference is that the non working office has it's own Virtual Controller. Any ideas?

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 18.  RE: Guest Wireless access via Azure SSO

    Posted Nov 17, 2020 05:27 AM
    Hi Jeremy,

    At what step is it failing?  Can you send some screenshots?
    Do you have the same certificate installed on the other VC?

    Regards,
    Ayman

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 19.  RE: Guest Wireless access via Azure SSO

    Posted Nov 17, 2020 05:37 AM
    Hi Ayman

    Sure, i have uploaded the screen shot the user sent me. He gets the captiveportal page and then clicks on the Microsoft Azure AD button and then gets the attached. In my mind i think it is a cert issue but for the life of me i cannot work out how to check or install the cert on the other VC as we use Aruba Central to manage the Access Points in groups.

    Thanks
    User error


    ------------------------------
    Jeremy Smith
    ------------------------------



  • 20.  RE: Guest Wireless access via Azure SSO

    Posted Nov 17, 2020 06:04 AM
    So he is not getting redirected to Azure page? Did you whitelist Azure URLs?

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 21.  RE: Guest Wireless access via Azure SSO

    Posted Nov 17, 2020 06:05 AM
    Did you whitelist the Azure URLs in the initial role? The Azure page is not loading right?

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 22.  RE: Guest Wireless access via Azure SSO

    Posted Nov 17, 2020 06:06 AM
    Did you whitelist Azure URLs? Azure page is not loading right..

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 23.  RE: Guest Wireless access via Azure SSO

    Posted Nov 17, 2020 06:07 AM
    Did you whitelist Azure URLs in the other VC? Azure page is not loading right?

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 24.  RE: Guest Wireless access via Azure SSO

    Posted Nov 17, 2020 06:13 AM
    Well, i duplicated the Group that works fine so the whitelist for the roles is the same as the working Group so should be fine.

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 25.  RE: Guest Wireless access via Azure SSO

    Posted Nov 17, 2020 06:20 AM
    So he got redirected to Azure and logged in successfully on Azure? After that, he is getting this error right?

    If this is the case, then you need to make sure that the same certificate is installed in the other VC..

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 26.  RE: Guest Wireless access via Azure SSO

    Posted Nov 17, 2020 06:47 AM
    Yep, my Aruba SE has advised me how to upload the cert and apply to the captive portal for each Group. The reason it worked for one office is that the IAP's were installed and setup before we migrated to Central so the cert was applied locally to the VC. What a gotcha!

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 27.  RE: Guest Wireless access via Azure SSO

    Posted Nov 25, 2020 06:36 AM
    Hi Ayman

    I have recently migrated our external DNS entry for the captive portal to my new CPPM aplliances but this has stopped the OAuth from working.
    I have confirmed that CCPM has access to Azure but the client gets a 'Login Error, please re try'. This using the same setup of the VC from when we got it working on my old cppm server. Any ideas? Do we need to delete the Azure OAuth config an start from fresh?

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 28.  RE: Guest Wireless access via Azure SSO

    Posted Nov 25, 2020 09:58 AM
    Hi,

    Did you whitelist the new captive portal IP in your initial role or was it configured by FQDN name? At which stage is it failing?

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 29.  RE: Guest Wireless access via Azure SSO

    Posted Nov 25, 2020 10:09 AM
    It was configured via FQDN in the old and new setup. The stage it failing is after the user click on the Azure AD button on the captive portal page and gets an error = login failed please retry

    We have confirmed that the login reaches Azure and all firewall rules are working. Its the same pre auth role being used as the previous working setup.

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 30.  RE: Guest Wireless access via Azure SSO

    Posted Nov 25, 2020 01:22 PM
    Did you change the radius server IP in your captive portal profile to map to the new IP?

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 31.  RE: Guest Wireless access via Azure SSO

    Posted Nov 26, 2020 04:11 AM
    Morning Ayman

    Yes, i did change the radius server ip in the captive portal. We have fixed it now. The resolution is that Azure didn't like the change so we had to delete the oAuth config in Azure and re add it. Very strange but worth noting.

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 32.  RE: Guest Wireless access via Azure SSO

    Posted Dec 01, 2020 10:37 AM
    Hi Ayman

    I now have a request to enable the working Azure OAuth flow into the existing guest captive portal page. I have enabled the cloud identity with in the guest self registration page and added the needed ACL's to the role but have encountered an error with the reply uri being incorrect. I have changed the reply uri to the guest captive portal page but an still seeing the issue. Any ideas?

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 33.  RE: Guest Wireless access via Azure SSO

    Posted Dec 06, 2020 12:20 AM
    Hi Jeremy,

    I am not sure but did you check this page for the requirements of the redirect URL
    https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 34.  RE: Guest Wireless access via Azure SSO

    Posted Dec 07, 2020 04:17 AM
    Hi Ayman

    Thanks but yes the reply uri is configured correctly from a case perspective. We use a registration form for guest access which then waits for the sponsor to approve the request. i wonder if the reply uri needs to be the device_register page rather that the initial registration request page?

    ------------------------------
    Jeremy Smith
    ------------------------------