Aruba Central

Hello community,

I'm trying Aruba Central CloudAuth integration with Azure. This is a PoC, so at the moment I'm using Azure Free Trial.

I did all integration part successfully and manage to onboard several devices.

But when trying to connect to CloudAuth SSID, device/user is rejected stating that Authentication was successful, but Authorization part failed.

Please note that there may be a delay in synchronization when you put users in an AzureAD group and when it is picked up.

Also make sure the API/Application you created in Azure AD has proper rights to read group membership and user data.

Do you have a mapping in Cloud Auth that maps at least one group where this user is in to a role on the network? If there is no matching group, the authorization will be rejected.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 15, 2022 04:55 AM
From: Andrius Gedvilas
Subject: CloudAuth rejects user after successful onboard

Hello community,

I'm trying Aruba Central CloudAuth integration with Azure. This is a PoC, so at the moment I'm using Azure Free Trial.

I did all integration part successfully and manage to onboard several devices.

But when trying to connect to CloudAuth SSID, device/user is rejected stating that Authentication was successful, but Authorization part failed.

 

On Azure I created a security Group called Central, and added there several account, which I'm using for onboarding and connecting.

 

At the moment there is opened TAC case, but with no progress.

What I'm missing?

Hi Herman,

I did this configuration like was showed in configuration guide (https://www.arubanetworks.com/techdocs/central/latest/content/nms/policy/ca-azure.htm)
APP API permissions below:


And yes, the security group on Azure AD called Central is synced with CloudAuth, and its members are my all user (three at this moment). Onboarding was successful
Is there any Azure AD license caveats, like minimum license requirement?
Original Message:
Sent: Sep 15, 2022 08:17 AM
From: Herman Robers
Subject: CloudAuth rejects user after successful onboard

Please note that there may be a delay in synchronization when you put users in an AzureAD group and when it is picked up.

Also make sure the API/Application you created in Azure AD has proper rights to read group membership and user data.

Do you have a mapping in Cloud Auth that maps at least one group where this user is in to a role on the network? If there is no matching group, the authorization will be rejected.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 15, 2022 04:55 AM
From: Andrius Gedvilas
Subject: CloudAuth rejects user after successful onboard

Hello community,

I'm trying Aruba Central CloudAuth integration with Azure. This is a PoC, so at the moment I'm using Azure Free Trial.

I did all integration part successfully and manage to onboard several devices.

But when trying to connect to CloudAuth SSID, device/user is rejected stating that Authentication was successful, but Authorization part failed.

 

On Azure I created a security Group called Central, and added there several account, which I'm using for onboarding and connecting.

 

At the moment there is opened TAC case, but with no progress.

What I'm missing?

I'm not a Azure AD licensing expert, but have not heard about specific Azure AD requirements for Cloud Authentication & Policy.

Would you mind to try and add the IdentityProvider.Read.All and People.Read.All as permissions? This is what I did:
... but I see these were in the documentation before and were taken out of the documentation, which suggests to me that these are in fact not needed, but you can try if that helps.

As mentioned if authentication is successful, but authorization fails, that means very likely that onboarding went fine, and the client can successfully authenticate, but the group mapping failed for some reason. TAC can probably verify for your instance if the user-to-group mappings were successfully synced/retrieved which may be where the issue lies if that isn't. That is separate from the group pulldown so you can select the Azure AD groups in Central.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 15, 2022 09:41 AM
From: Andrius Gedvilas
Subject: CloudAuth rejects user after successful onboard

Hi Herman,

I did this configuration like was showed in configuration guide (https://www.arubanetworks.com/techdocs/central/latest/content/nms/policy/ca-azure.htm)
APP API permissions below:


And yes, the security group on Azure AD called Central is synced with CloudAuth, and its members are my all user (three at this moment). Onboarding was successful
Is there any Azure AD license caveats, like minimum license requirement?
Original Message:
Sent: Sep 15, 2022 08:17 AM
From: Herman Robers
Subject: CloudAuth rejects user after successful onboard

Please note that there may be a delay in synchronization when you put users in an AzureAD group and when it is picked up.

Also make sure the API/Application you created in Azure AD has proper rights to read group membership and user data.

Do you have a mapping in Cloud Auth that maps at least one group where this user is in to a role on the network? If there is no matching group, the authorization will be rejected.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 15, 2022 04:55 AM
From: Andrius Gedvilas
Subject: CloudAuth rejects user after successful onboard

Hello community,

I'm trying Aruba Central CloudAuth integration with Azure. This is a PoC, so at the moment I'm using Azure Free Trial.

I did all integration part successfully and manage to onboard several devices.

But when trying to connect to CloudAuth SSID, device/user is rejected stating that Authentication was successful, but Authorization part failed.

 

On Azure I created a security Group called Central, and added there several account, which I'm using for onboarding and connecting.

 

At the moment there is opened TAC case, but with no progress.

What I'm missing?

Finally got it.

The problem was that at first I was using external to Microsoft accounts (Gmail), so Azure AD created very strange long User Principle Names:

When connecting to ClouAuth SSID, username was simple Gmail acount, so this failed.

After that I add Custom Domain Name, created new user with it, onboarded and connected to CloudAuth. Now User Principle Name are in correct format: user@domain.

Original Message:
Sent: Sep 15, 2022 10:32 AM
From: Herman Robers
Subject: CloudAuth rejects user after successful onboard

I'm not a Azure AD licensing expert, but have not heard about specific Azure AD requirements for Cloud Authentication & Policy.

Would you mind to try and add the IdentityProvider.Read.All and People.Read.All as permissions? This is what I did:
... but I see these were in the documentation before and were taken out of the documentation, which suggests to me that these are in fact not needed, but you can try if that helps.

As mentioned if authentication is successful, but authorization fails, that means very likely that onboarding went fine, and the client can successfully authenticate, but the group mapping failed for some reason. TAC can probably verify for your instance if the user-to-group mappings were successfully synced/retrieved which may be where the issue lies if that isn't. That is separate from the group pulldown so you can select the Azure AD groups in Central.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 15, 2022 09:41 AM
From: Andrius Gedvilas
Subject: CloudAuth rejects user after successful onboard

Hi Herman,

I did this configuration like was showed in configuration guide (https://www.arubanetworks.com/techdocs/central/latest/content/nms/policy/ca-azure.htm)
APP API permissions below:


And yes, the security group on Azure AD called Central is synced with CloudAuth, and its members are my all user (three at this moment). Onboarding was successful
Is there any Azure AD license caveats, like minimum license requirement?
Original Message:
Sent: Sep 15, 2022 08:17 AM
From: Herman Robers
Subject: CloudAuth rejects user after successful onboard

Please note that there may be a delay in synchronization when you put users in an AzureAD group and when it is picked up.

Also make sure the API/Application you created in Azure AD has proper rights to read group membership and user data.

Do you have a mapping in Cloud Auth that maps at least one group where this user is in to a role on the network? If there is no matching group, the authorization will be rejected.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 15, 2022 04:55 AM
From: Andrius Gedvilas
Subject: CloudAuth rejects user after successful onboard

Hello community,

I'm trying Aruba Central CloudAuth integration with Azure. This is a PoC, so at the moment I'm using Azure Free Trial.

I did all integration part successfully and manage to onboard several devices.

But when trying to connect to CloudAuth SSID, device/user is rejected stating that Authentication was successful, but Authorization part failed.

 

On Azure I created a security Group called Central, and added there several account, which I'm using for onboarding and connecting.

 

At the moment there is opened TAC case, but with no progress.

What I'm missing?