Security

 View Only
  • 1.  Clearpass 6.11. Entra ID

    Posted Oct 08, 2024 07:23 AM

    Hi all,

    recently I had some PoCs with Entra ID in different scenarios. The EAP-TLS authentication based on a user cert did work quite well, but I came across the TLS authentication / authorization of a computer cert.
    I found the following HPE Aruba article which describes how this can be achieved. At the end it states, that it should work in 6.11. and 6.12. Unfortunately I wasn't able to get this running with the latest 6.11. code. The Entra ID passage in the 6.12. user guide is also different to the 6.11. 

    Does anyone know if this a 6.12. feature or have a hint how to get this running in 6.11.?

    thanks in advance



    ------------------------------
    Frederik
    ------------------------------


  • 2.  RE: Clearpass 6.11. Entra ID

    Posted Oct 09, 2024 10:31 AM
                Hi Frederik
    One of the big changes in 6.12 compared to 6.11 is the enhanced functions related to Entra ID.
    From the ClearPass Release Notes:
    "This release further enhances ClearPass support for Microsoft Entra ID (previously Azure Active Directory, or AAD) as an authorization source. The Microsoft Entra ID authorization capabilities are now extended to allow customers to use more than just user groups for authorization. This feature also supports certificate-based setups, so customers can choose to use either cleartext secrets or certificates to connect Microsoft Entra ID with ClearPass. As part of this feature, when Microsoft Entra ID is configured as an authorization source: (CP‑47920, CP‑48279, CP‑50884)
    - Administrators can choose to use certificates instead of API tokens.
    - Filtering can be done by group, assigned role, user, user type, MFA status, location, and more.
    - The Event Viewer includes alerts for expiring client secrets.
    - Additional default authorization attributes are available. The following attributes are not shown in the filter and must be manually entered in the filter query:
    - users.accountEnabled
    - users.userPrincipalName
    - group.displayName
    For more details, see the Microsoft Entra ID topic in the ClearPass Policy Manager 6.12 User Guide."


    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Clearpass 6.11. Entra ID

    Posted 27 days ago

    ClearPass 6.11 is expected to work with Entra ID, but you should not make any changes to the filters or queries. With the changes in EntraID support between 6.11 and 6.12, as Jonas mentioned already it's recommended to go for ClearPass 6.12 in such a case.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------