Security

 View Only

  • 1.  Clearpass 6.11. Entra ID

    Posted Oct 08, 2024 07:23 AM

    Hi all,

    recently I had some PoCs with Entra ID in different scenarios. The EAP-TLS authentication based on a user cert did work quite well, but I came across the TLS authentication / authorization of a computer cert.
    I found the following HPE Aruba article which describes how this can be achieved. At the end it states, that it should work in 6.11. and 6.12. Unfortunately I wasn't able to get this running with the latest 6.11. code. The Entra ID passage in the 6.12. user guide is also different to the 6.11. 

    Does anyone know if this a 6.12. feature or have a hint how to get this running in 6.11.?

    thanks in advance



    ------------------------------
    Frederik
    ------------------------------


  • 2.  RE: Clearpass 6.11. Entra ID

    Posted Oct 09, 2024 10:31 AM
                Hi Frederik
    One of the big changes in 6.12 compared to 6.11 is the enhanced functions related to Entra ID.
    From the ClearPass Release Notes:
    "This release further enhances ClearPass support for Microsoft Entra ID (previously Azure Active Directory, or AAD) as an authorization source. The Microsoft Entra ID authorization capabilities are now extended to allow customers to use more than just user groups for authorization. This feature also supports certificate-based setups, so customers can choose to use either cleartext secrets or certificates to connect Microsoft Entra ID with ClearPass. As part of this feature, when Microsoft Entra ID is configured as an authorization source: (CP‑47920, CP‑48279, CP‑50884)
    - Administrators can choose to use certificates instead of API tokens.
    - Filtering can be done by group, assigned role, user, user type, MFA status, location, and more.
    - The Event Viewer includes alerts for expiring client secrets.
    - Additional default authorization attributes are available. The following attributes are not shown in the filter and must be manually entered in the filter query:
    - users.accountEnabled
    - users.userPrincipalName
    - group.displayName
    For more details, see the Microsoft Entra ID topic in the ClearPass Policy Manager 6.12 User Guide."


    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 3.  RE: Clearpass 6.11. Entra ID

    Posted Oct 14, 2024 06:23 AM

    ClearPass 6.11 is expected to work with Entra ID, but you should not make any changes to the filters or queries. With the changes in EntraID support between 6.11 and 6.12, as Jonas mentioned already it's recommended to go for ClearPass 6.12 in such a case.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 4.  RE: Clearpass 6.11. Entra ID

    Posted 15 days ago

    Dear Herman,

    Do you have any tech-note about the ClearPass integration with EntraID, If so please share.

    Reg,

    Shamz


    Original Message


  • 5.  RE: Clearpass 6.11. Entra ID

    Posted 14 days ago

    Shamz,

    I don't have a tech note. There is the public documentation, and a presentation I did at a conference that is shared (see this post).

    The documentation for Entra ID and ClearPass 6.12 is here. I'd recommend ClearPass 6.12 as you can use the full Graph API with Azure/Entra ID, where in ClearPass 6.11 you are stuck to the most default fields like group membership.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


Related Content