Security

 View Only
  • 1.  ClearPass Guest captive portal with Google SAML SSO login

    Posted Nov 18, 2024 07:04 PM

    I have a customer that has an existing Guest Captive Portal for self registration.  We are coming in to add the ability for students and staff to login using their Google login for guest Wireless.  

    I have set up the SSO settings for their Google as the IDP in ClearPass.  I have set up the custom App on the Google side and imported the certificate from Google to ClearPass Trust list.  

    I have added the URL link for the SSO Google Login to the footer of the existing captive portal page.  When a user connects to the guest SSID they will be presented with the same captive portal page from ClearPass.  Users staff and students who have the School Google account can click on that link in the captive portal page.  This directs them to the login page for Google.  

    The process all seems to work except when the user clicks on that link to get to the Google login they are getting a certificate error.  They are being directed to the accounts.google.com but the certificate is showing as the ClearPass certificate.  Because we have imported the Google certificate to ClearPass, I would expect that the trust is in place and the user should not get a certificate error.  I was also expecting the client to see the Google certificate when redirected to the accounts.google.com page not the ClearPass certificate.  

    Is there a step I am missing for the client to not have a certificate warning?



  • 2.  RE: ClearPass Guest captive portal with Google SAML SSO login

    Posted Nov 18, 2024 07:53 PM

    I will just say that this stuff never works right and I would never recommend it. I'm not entirely sure google login is supported in the CNA.




  • 3.  RE: ClearPass Guest captive portal with Google SAML SSO login
    Best Answer

    Posted Nov 19, 2024 06:37 PM

    I was able to resolve this one today.  The issue was in the order of the policies of the initial guest logon role on the Aruba controller.  The policy to allow Google traffic was applied to the logon role however it was at the bottom of the list.  I moved that policy up above the logon control and captive portal policies and we were able to test successfully with no certificate error.