Security

Hello community,

I am struggling with SAML and OAuth via Google Workspace. Before deploy this configuration to my customer i wanted to try in my lab environment and i've faced with strange issue. In short, my customer is a school and they have google workspace. They want that their students should login with their google accounts. And i come with this solution but cant get it work. 

In my lab;

I have one clearpass server and one standalone controller. There is an open SSID which redirects users to captive portal page that hosted on clearpass. Also this page have configured with pre-auth check with SAML option. When client connects to SSID it redirects automatically accounts.google.com. After that, login with proper user/pw it triggers an appliaciton service on clearpass side. But after successfull login through accounts.google.com client redirected captiveportal-login.<domain name>/cgi-login/bin/errmsg=AccessDenied. All certificates imported to clearpass and controller properly. 

I believe that controller is not able to generate a radius request with this user/pw or client can't send the information to controller. 

Any help or suggestions would be great! Thanks in advance!

Hi,

I tried with default web login page without pre-auth check. After enter the username/pw it redirects captiveportal-login.domain.com and this website's cert is securelogin.arubanetworks.com. How is this happening? I uploaded wildcard certs to controller and clearpass but it is not working. Maybe is there a certificate trust issue?

Hello community,

I am struggling with SAML and OAuth via Google Workspace. Before deploy this configuration to my customer i wanted to try in my lab environment and i've faced with strange issue. In short, my customer is a school and they have google workspace. They want that their students should login with their google accounts. And i come with this solution but cant get it work. 

In my lab;

I have one clearpass server and one standalone controller. There is an open SSID which redirects users to captive portal page that hosted on clearpass. Also this page have configured with pre-auth check with SAML option. When client connects to SSID it redirects automatically accounts.google.com. After that, login with proper user/pw it triggers an appliaciton service on clearpass side. But after successfull login through accounts.google.com client redirected captiveportal-login.<domain name>/cgi-login/bin/errmsg=AccessDenied. All certificates imported to clearpass and controller properly. 

I believe that controller is not able to generate a radius request with this user/pw or client can't send the information to controller. 

Any help or suggestions would be great! Thanks in advance!