Security

 View Only
last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

OAuth2.0 inetgration with ClearPass Onboard

This thread has been viewed 7 times
  • 1.  OAuth2.0 inetgration with ClearPass Onboard

    Posted Jul 21, 2022 06:19 AM

    Hi community,

    We are building PoC for our client  and we are trying to intragrate ClearPass Onboard page with OAuth 2.0 with G Suite. SAML is not an option, because with it we can have only one SSO login page on ClearPass, when we need 6, and there will be more in the future, G Suite organizations.

    We are refering to ClearPass Onboard and Cloud Identity providers documentation. But it seems that it is a bit outdated. There a new configuration options on G Suite.

    Firstly when creating OAuth2.0 crediantials, G Suite asks to configure OAuth consent:

    Secondly, when trying to login with G Suite admin credentials to https://groups.google.com/forum/#!forum/risky- access-by-unreviewed-apps to allow custom OAuth web apps, it seems that admin don't have enough permissions:

    After all we tried to use Internal User type, and then created OAuth creadientials with all needed Authorized redirect URIs, enabled Google+ and Admin SDK APIs and configured ClearPass Oboard web page as described in documentations. 

    When trying to reach Onboard page, there should be a redirect, but we are only getting - "Required field unavailable" 

    In Applications logs we see an 'Auto redirect' and '_REQUESTS' logs:

    How can we do this intagration correctly? 

    What User type should we use? 

    Is there another way to allow risky access by unreviewed apps?

    Thanks for support!



  • 2.  RE: OAuth2.0 inetgration with ClearPass Onboard

    EMPLOYEE
    Posted Jul 22, 2022 05:33 AM
    Unfortunately, I don't have access to a G-Suite account, but let met try to give my view on what I see.

    For the consent, you probably should pick internal. From the description, I make up that internal is used to authenticate users that are in your G-Suite. External can authenticate any Google Account and requires approval/additional configuration at some point in time. I assume you only need to Onboard users in your own identity store.

    The risky applications screen seems to be related to your admin account level. If there is a higher level admin account, you could try that. For example the account that was used to create the organization or the first admin created (apologies, I don't have access to G-Suite so just making interpretations).

    The Required Field missing message is in many cases related to a missing client MAC address, which is required for Onboard (and most Guest workflows) to operate. The MAC address is mostly added by the redirect, and makes opening the Webauth page from the ClearPass backend fail. You could try if it works when you add ?mac=00:00:00:00:00:00 to the end of the URL of the guest/onboard page, or if there is already a ? in the URL, add &mac=00:00:00:00:00:00 to the end to see if the 'required field missing' disappears.

    What also may help is using the developer tools in your browser (Ctrl-Shift-I / CMD-Shift-I on mac) to trace the request and redirects.

    Also, make sure that you have all (public trusted) certificates in-place as I have seen similar issues where people tried to make things work with self-signed certificates, and spending a lot of time troubleshooting, where everything started working as expected immediately after installing the proper certificates.

    As there are quite some moving parts here, it may be beneficial to work interactively with your Aruba partner or Aruba Support to go step-by-step through the process and see where things break.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: OAuth2.0 inetgration with ClearPass Onboard

    Posted Jul 22, 2022 07:05 AM
    Hi Herman,

    Thank you for quick response.
    You are right, at the moment I'm doing Onboard test only though backend, no redirect, so no MAC address on URL. When trying to add ?mac=xx:xx:xx:xx:xx:xx, redirect to Google worked and managed to get client certificate and profile. 

    Thank you once more!

    P.S there is free trail period to test G Suite https://workspace.google.com/business/signup/welcome