Controllerless Networks

last person joined: 4 hours ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

Guest Wireless access via Azure SSO

Jump to Best Answer
  • 1.  Guest Wireless access via Azure SSO

    Posted 27 days ago
    Hello

    I have a request to permit guest access for corporate users using Azure AD authentication via SSO. All info I have found is for on boarding or for guest operators. How can I utilise a captive portal, using CPPM, for users to enter their Azure AD credentials and then gain internet access?

    ------------------------------
    Jeremy Smith
    ------------------------------


  • 2.  RE: Guest Wireless access via Azure SSO
    Best Answer

    Posted 26 days ago
    Hi,

    You can use OAUTH or SAML for this.

    I have done this using OAUTH as explained here..
    https://whyfiplusplus.com/2020/09/27/clearpass-tiny-bite-7-clearpass-guest-social-login-with-azure-ad-part-1/
    I will be documenting (how to actually configure it in details in the delayed part 2!)

    In brief, you define a web login page and define your Azure as a social login provider. You will need to create an app on Azure to get the client ID / secret)

    You will also need to define a service policy to use social logon providers.




    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 3.  RE: Guest Wireless access via Azure SSO

    Posted 26 days ago
    Thanks Ayman

    I assume i still did to define the pre auth on the weblogin as saml and have the SSO identity configured pointing to Azure? Also i will need a mac auth all radius service for the initial connection before it launches the weblogin?

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 4.  RE: Guest Wireless access via Azure SSO

    Posted 26 days ago
    The way I did it is based on OAUTH not SAML thus you don't need to configure "Pre-auth check" to SSO.
    ClearPass will be using Azure APIs to fetch attributes about the user after the user is authenticated on Azure.

    If you want to configure it using SAML, then yes you will need to set pre-auth check to SSO.

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 5.  RE: Guest Wireless access via Azure SSO

    Posted 26 days ago
      |   view attached
    Thanks Ayman

    Can't wait for your detailed config document! In the mean time i have configured what i think is needed but could you advise on what i need to put on the weblogin page from a vendor settings and address please? I have configured the cloud identity and set pre auth to SAML but am unsure on the rest of the settings. I have uploaded a attachment of what i need. Thanks very much

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 6.  RE: Guest Wireless access via Azure SSO

    Posted 25 days ago
      |   view attached
    Sorry wrong attachment! Here is the correct one.
    I also do not see Microsoft Azure as on option when using the Cloud Identity/ Social media service template. Do i unselect all the vendors and continue?

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 7.  RE: Guest Wireless access via Azure SSO

    Posted 22 days ago
    maybe you are in the wrong field. I have those cloud providers on my list and azure is available:



    ------------------------------
    Florian Baaske
    ------------------------------



  • 8.  RE: Guest Wireless access via Azure SSO

    Posted 22 days ago
    Hi Florian

    Yes i have selected Microsoft Azure in the cloud identity within the web login but it's not an option when trying to create the service as only google, linkedin, twitter and facebook are options for the social repository. This is when using the Cloud Identity/ Social login service template.

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 9.  RE: Guest Wireless access via Azure SSO

    Posted 21 days ago
    Hi, 

    have you looked into this document? 

    https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=18612#bm47eca527-257c-411a-b292-a007ffdaf7fc

    I think this should answer your questions.

    ------------------------------
    Florian Baaske
    ------------------------------



  • 10.  RE: Guest Wireless access via Azure SSO

    Posted 21 days ago
    Hi Florian

    Yes i have used the document but am still having issue while testing. We get a blank web page asking to 'connect to the internet' after our tester clicks on the Azure AD button on the captive portal page.

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 11.  RE: Guest Wireless access via Azure SSO

    Posted 21 days ago
    Could it be, that you did not whitelisted the Azure URL's in order to be allowed before authentication? I think those whitelist URL's are also included in the document above.

    ------------------------------
    Florian Baaske
    ------------------------------



  • 12.  RE: Guest Wireless access via Azure SSO

    Posted 21 days ago
      |   view attached
    We use Aruba Central to manage our Access Points and i have configured a pre auth Role that enforces captive portal and deny any to any. Should i permit access via https to domain login.microsoftonline.com* ? There is no option in the Aruba Central roles for url access. I have uploaded a screen shot to help.

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 13.  RE: Guest Wireless access via Azure SSO

    Posted 21 days ago
    Hi Jeremy,

    I just posted the How To Guide here https://whyfiplusplus.com/2020/11/10/clearpass-tiny-bite-8-clearpass-guest-social-login-with-azure-ad-part-2/

    Please check it..In brief, the Service template will only show you specific options like Facebook, Linkedin..You will need to edit the enforcement policy manually...

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 14.  RE: Guest Wireless access via Azure SSO

    Posted 21 days ago
    Thanks very much Ayman! Hopefully one last question... i use Aruba Central rather than a controller so would the access lists work the same? As you can see in my post to Florian above shows the options for the role access list in central.

    Thanks again

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 15.  RE: Guest Wireless access via Azure SSO

    Posted 21 days ago
    Hi,

    Did you try to whitelist the domains using the wall-garden option?

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 16.  RE: Guest Wireless access via Azure SSO

    Posted 21 days ago
    Walled-Garden is not supported in IAP 6.5.4 + and have been replaced by the domain ACL option within the roles. Looks like a very large list for me then :-)

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 17.  RE: Guest Wireless access via Azure SSO

    Posted 14 days ago
    Hi Ayman

    I have this all working now in one of my offices, the issue i have now is that another office is not working. They can't resolve the vendor address even though the other office can. The only difference is that the non working office has it's own Virtual Controller. Any ideas?

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 18.  RE: Guest Wireless access via Azure SSO

    Posted 14 days ago
    Hi Jeremy,

    At what step is it failing?  Can you send some screenshots?
    Do you have the same certificate installed on the other VC?

    Regards,
    Ayman

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 19.  RE: Guest Wireless access via Azure SSO

    Posted 14 days ago
    Hi Ayman

    Sure, i have uploaded the screen shot the user sent me. He gets the captiveportal page and then clicks on the Microsoft Azure AD button and then gets the attached. In my mind i think it is a cert issue but for the life of me i cannot work out how to check or install the cert on the other VC as we use Aruba Central to manage the Access Points in groups.

    Thanks
    User error


    ------------------------------
    Jeremy Smith
    ------------------------------



  • 20.  RE: Guest Wireless access via Azure SSO

    Posted 14 days ago
    So he is not getting redirected to Azure page? Did you whitelist Azure URLs?

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 21.  RE: Guest Wireless access via Azure SSO

    Posted 14 days ago
    Did you whitelist the Azure URLs in the initial role? The Azure page is not loading right?

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 22.  RE: Guest Wireless access via Azure SSO

    Posted 14 days ago
    Did you whitelist Azure URLs? Azure page is not loading right..

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 23.  RE: Guest Wireless access via Azure SSO

    Posted 14 days ago
    Did you whitelist Azure URLs in the other VC? Azure page is not loading right?

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 24.  RE: Guest Wireless access via Azure SSO

    Posted 14 days ago
    Well, i duplicated the Group that works fine so the whitelist for the roles is the same as the working Group so should be fine.

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 25.  RE: Guest Wireless access via Azure SSO

    Posted 14 days ago
    So he got redirected to Azure and logged in successfully on Azure? After that, he is getting this error right?

    If this is the case, then you need to make sure that the same certificate is installed in the other VC..

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 26.  RE: Guest Wireless access via Azure SSO

    Posted 14 days ago
    Yep, my Aruba SE has advised me how to upload the cert and apply to the captive portal for each Group. The reason it worked for one office is that the IAP's were installed and setup before we migrated to Central so the cert was applied locally to the VC. What a gotcha!

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 27.  RE: Guest Wireless access via Azure SSO

    Posted 6 days ago
    Hi Ayman

    I have recently migrated our external DNS entry for the captive portal to my new CPPM aplliances but this has stopped the OAuth from working.
    I have confirmed that CCPM has access to Azure but the client gets a 'Login Error, please re try'. This using the same setup of the VC from when we got it working on my old cppm server. Any ideas? Do we need to delete the Azure OAuth config an start from fresh?

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 28.  RE: Guest Wireless access via Azure SSO

    Posted 6 days ago
    Hi,

    Did you whitelist the new captive portal IP in your initial role or was it configured by FQDN name? At which stage is it failing?

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 29.  RE: Guest Wireless access via Azure SSO

    Posted 6 days ago
    It was configured via FQDN in the old and new setup. The stage it failing is after the user click on the Azure AD button on the captive portal page and gets an error = login failed please retry

    We have confirmed that the login reaches Azure and all firewall rules are working. Its the same pre auth role being used as the previous working setup.

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 30.  RE: Guest Wireless access via Azure SSO

    Posted 6 days ago
    Did you change the radius server IP in your captive portal profile to map to the new IP?

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 31.  RE: Guest Wireless access via Azure SSO

    Posted 5 days ago
    Morning Ayman

    Yes, i did change the radius server ip in the captive portal. We have fixed it now. The resolution is that Azure didn't like the change so we had to delete the oAuth config in Azure and re add it. Very strange but worth noting.

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------



  • 32.  RE: Guest Wireless access via Azure SSO

    Posted 6 hours ago
    Hi Ayman

    I now have a request to enable the working Azure OAuth flow into the existing guest captive portal page. I have enabled the cloud identity with in the guest self registration page and added the needed ACL's to the role but have encountered an error with the reply uri being incorrect. I have changed the reply uri to the guest captive portal page but an still seeing the issue. Any ideas?

    ------------------------------
    Jeremy Smith
    ------------------------------