Security

Technically this is a phone OS problem, but bear with me ...

I have a captive portal on a PSK guest network, for guest and staff personal devices. There's a standard registration form for sponsor approval, or I've set up OAuth to Azure AD for staff to log in with. This works fine. The problem is we're rolling out MFA, and preferencing MS Authenticator with number match. When the number match part of the login appears in the iOS or Android captive portal browser, the user switches to MS Authenticator to enter the number, but when they try to switch back to the captive portal browser, it's disappeared, and so the registration with ClearPass doesn't complete.

I tried to bypass MFA for the ClearPass app in the Azure Conditional Access policy, but it can't be done since ClearPass access Windows Azure AD (which itself can't be excluded) which triggers MFA anyway. This was confirmed by MS support, see these links for some details

Conditional Access service dependencies - Azure Active Directory - Microsoft Entra
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#all-cloud-apps

So I'm stuck at the intersection of ClearPass, phone OS and Azure AD and none of them have a solution or even a workaround to the problem. Does anyone have any ideas on what I could do to make it work?

Thanks

That may be a hard problem to solve; I heard the same issue with SMS codes where if you open the SMS app, you lose access to the mini-browser and can't login. Someone may have found a solution to that problem, and solve yours with the same approach.

Two suggestions that you could have a look at:
- If you can use the 'redirect URL' to open a normal browser on a 'dummy login', you could try to get around this. I'm just not sure if the redirect URL will work on all devices, it may be that the mini-browser just shuts down.
- With ClearPass 6.11 there is now support for CAPPORT (RFC8908/8910) which should open a normal webbrowser which may not have the same issue.

If you found a solution, please share!

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 06, 2022 12:14 PM
From: James Andrewartha
Subject: ClearPass captive portal with Azure AD registration doesn't work with number match MFA on Android or iOS

Technically this is a phone OS problem, but bear with me ...

I have a captive portal on a PSK guest network, for guest and staff personal devices. There's a standard registration form for sponsor approval, or I've set up OAuth to Azure AD for staff to log in with. This works fine. The problem is we're rolling out MFA, and preferencing MS Authenticator with number match. When the number match part of the login appears in the iOS or Android captive portal browser, the user switches to MS Authenticator to enter the number, but when they try to switch back to the captive portal browser, it's disappeared, and so the registration with ClearPass doesn't complete.

I tried to bypass MFA for the ClearPass app in the Azure Conditional Access policy, but it can't be done since ClearPass access Windows Azure AD (which itself can't be excluded) which triggers MFA anyway. This was confirmed by MS support, see these links for some details

Conditional Access service dependencies - Azure Active Directory - Microsoft Entra
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#all-cloud-apps

So I'm stuck at the intersection of ClearPass, phone OS and Azure AD and none of them have a solution or even a workaround to the problem. Does anyone have any ideas on what I could do to make it work?

Thanks

How is ClearPass involved in the CAPPORT (RFC8908/8910) process?  I see from the RFCs it looks like a DHCP option so not sure how ClearPass would be delivering that option to a client.
Original Message:
Sent: Oct 11, 2022 05:32 AM
From: Herman Robers
Subject: ClearPass captive portal with Azure AD registration doesn't work with number match MFA on Android or iOS

That may be a hard problem to solve; I heard the same issue with SMS codes where if you open the SMS app, you lose access to the mini-browser and can't login. Someone may have found a solution to that problem, and solve yours with the same approach.

Two suggestions that you could have a look at:
- If you can use the 'redirect URL' to open a normal browser on a 'dummy login', you could try to get around this. I'm just not sure if the redirect URL will work on all devices, it may be that the mini-browser just shuts down.
- With ClearPass 6.11 there is now support for CAPPORT (RFC8908/8910) which should open a normal webbrowser which may not have the same issue.

If you found a solution, please share!

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 06, 2022 12:14 PM
From: James Andrewartha
Subject: ClearPass captive portal with Azure AD registration doesn't work with number match MFA on Android or iOS

Technically this is a phone OS problem, but bear with me ...

I have a captive portal on a PSK guest network, for guest and staff personal devices. There's a standard registration form for sponsor approval, or I've set up OAuth to Azure AD for staff to log in with. This works fine. The problem is we're rolling out MFA, and preferencing MS Authenticator with number match. When the number match part of the login appears in the iOS or Android captive portal browser, the user switches to MS Authenticator to enter the number, but when they try to switch back to the captive portal browser, it's disappeared, and so the registration with ClearPass doesn't complete.

I tried to bypass MFA for the ClearPass app in the Azure Conditional Access policy, but it can't be done since ClearPass access Windows Azure AD (which itself can't be excluded) which triggers MFA anyway. This was confirmed by MS support, see these links for some details

Conditional Access service dependencies - Azure Active Directory - Microsoft Entra
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#all-cloud-apps

So I'm stuck at the intersection of ClearPass, phone OS and Azure AD and none of them have a solution or even a workaround to the problem. Does anyone have any ideas on what I could do to make it work?

Thanks

Yes, RFC 8910 is the DHCP option, which you point at ClearPass which hosts the actual API (RFC 8908). What does the user experience look like, does it actually open a full browser? Apple says "the experience looks the same for legacy captive networks and networks that adopt these standards"

The bigger issue is 6.11 requires a full reinstall of ClearPass and restore from backup, which is a fair bit of work.

SMS is generally OK because you can read the value from notification instead of having to switch app.

I've opened a case with TAC, and I heard from someone else with the same problem that it might have to be a feature request for ClearPass to use OIDC instead of direct API calls so that MFA can be bypassed.

Original Message:
Sent: Oct 11, 2022 07:46 AM
From: Unknown User
Subject: ClearPass captive portal with Azure AD registration doesn't work with number match MFA on Android or iOS

How is ClearPass involved in the CAPPORT (RFC8908/8910) process?  I see from the RFCs it looks like a DHCP option so not sure how ClearPass would be delivering that option to a client.
Original Message:
Sent: Oct 11, 2022 05:32 AM
From: Herman Robers
Subject: ClearPass captive portal with Azure AD registration doesn't work with number match MFA on Android or iOS

That may be a hard problem to solve; I heard the same issue with SMS codes where if you open the SMS app, you lose access to the mini-browser and can't login. Someone may have found a solution to that problem, and solve yours with the same approach.

Two suggestions that you could have a look at:
- If you can use the 'redirect URL' to open a normal browser on a 'dummy login', you could try to get around this. I'm just not sure if the redirect URL will work on all devices, it may be that the mini-browser just shuts down.
- With ClearPass 6.11 there is now support for CAPPORT (RFC8908/8910) which should open a normal webbrowser which may not have the same issue.

If you found a solution, please share!

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 06, 2022 12:14 PM
From: James Andrewartha
Subject: ClearPass captive portal with Azure AD registration doesn't work with number match MFA on Android or iOS

Technically this is a phone OS problem, but bear with me ...

I have a captive portal on a PSK guest network, for guest and staff personal devices. There's a standard registration form for sponsor approval, or I've set up OAuth to Azure AD for staff to log in with. This works fine. The problem is we're rolling out MFA, and preferencing MS Authenticator with number match. When the number match part of the login appears in the iOS or Android captive portal browser, the user switches to MS Authenticator to enter the number, but when they try to switch back to the captive portal browser, it's disappeared, and so the registration with ClearPass doesn't complete.

I tried to bypass MFA for the ClearPass app in the Azure Conditional Access policy, but it can't be done since ClearPass access Windows Azure AD (which itself can't be excluded) which triggers MFA anyway. This was confirmed by MS support, see these links for some details

Conditional Access service dependencies - Azure Active Directory - Microsoft Entra
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#all-cloud-apps

So I'm stuck at the intersection of ClearPass, phone OS and Azure AD and none of them have a solution or even a workaround to the problem. Does anyone have any ideas on what I could do to make it work?

Thanks

Hi, TRS-80. Still without any solution?
Yes, you can use the implementation of MFA by policies and not per user, in the Azure, and apply restrictions that can make the application of the captive portal doesn´t require a MFA. By location, device type and even by application. Try again. You can easily do it.

Original Message:
Sent: Oct 06, 2022 12:14 PM
From: TRS-80
Subject: ClearPass captive portal with Azure AD registration doesn't work with number match MFA on Android or iOS

Technically this is a phone OS problem, but bear with me ...

I have a captive portal on a PSK guest network, for guest and staff personal devices. There's a standard registration form for sponsor approval, or I've set up OAuth to Azure AD for staff to log in with. This works fine. The problem is we're rolling out MFA, and preferencing MS Authenticator with number match. When the number match part of the login appears in the iOS or Android captive portal browser, the user switches to MS Authenticator to enter the number, but when they try to switch back to the captive portal browser, it's disappeared, and so the registration with ClearPass doesn't complete.

I tried to bypass MFA for the ClearPass app in the Azure Conditional Access policy, but it can't be done since ClearPass access Windows Azure AD (which itself can't be excluded) which triggers MFA anyway. This was confirmed by MS support, see these links for some details

Conditional Access service dependencies - Azure Active Directory - Microsoft Entra
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#all-cloud-apps

So I'm stuck at the intersection of ClearPass, phone OS and Azure AD and none of them have a solution or even a workaround to the problem. Does anyone have any ideas on what I could do to make it work?

Thanks