That may be a hard problem to solve; I heard the same issue with SMS codes where if you open the SMS app, you lose access to the mini-browser and can't login. Someone may have found a solution to that problem, and solve yours with the same approach.
Two suggestions that you could have a look at:
- If you can use the 'redirect URL' to open a normal browser on a 'dummy login', you could try to get around this. I'm just not sure if the redirect URL will work on all devices, it may be that the mini-browser just shuts down.
- With ClearPass 6.11 there is now support for CAPPORT (RFC8908/8910) which should open a normal webbrowser which may not have the same issue.
If you found a solution, please share!
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Oct 06, 2022 12:14 PM
From: James Andrewartha
Subject: ClearPass captive portal with Azure AD registration doesn't work with number match MFA on Android or iOS
Technically this is a phone OS problem, but bear with me ...
I have a captive portal on a PSK guest network, for guest and staff personal devices. There's a standard registration form for sponsor approval, or I've set up OAuth to Azure AD for staff to log in with. This works fine. The problem is we're rolling out MFA, and preferencing MS Authenticator with number match. When the number match part of the login appears in the iOS or Android captive portal browser, the user switches to MS Authenticator to enter the number, but when they try to switch back to the captive portal browser, it's disappeared, and so the registration with ClearPass doesn't complete.
I tried to bypass MFA for the ClearPass app in the Azure Conditional Access policy, but it can't be done since ClearPass access Windows Azure AD (which itself can't be excluded) which triggers MFA anyway. This was confirmed by MS support, see these links for some details
Conditional Access service dependencies - Azure Active Directory - Microsoft Entra
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#all-cloud-apps
So I'm stuck at the intersection of ClearPass, phone OS and Azure AD and none of them have a solution or even a workaround to the problem. Does anyone have any ideas on what I could do to make it work?
Thanks