Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Using Entra as authorization source for Guest wifi login

This thread has been viewed 17 times
  • 1.  Using Entra as authorization source for Guest wifi login

    Posted 9 days ago

    Hello,

    I have been trying to add Entra as an authorization source for our guest wifi login. We already use Entra for our Admin login to CPPM and it seems to automatically save the Entra groups in an Endpoint attribute 'social_groups', that works fine.

    But we would like to check on the accountEnabled attribute of an Entra account (during MAC auths).

    I added our Entra details as a new authentication source, double-checking these with our Entra team. And we have two filters, one to get groups and one to get accountEnabled, these look like this:

    Filters : 1. /users/{id}/memberOf?$select=displayName
    2. /users/?$select=mail,userPrincipalName,id,department,accountEnabled&$filter=userPrincipalName%{Endpoint:Username}

    And I have referenced the second of these in our role mapping (the accountEnabled alias successfully appears as an option when I create the mapping rule)

    But when I look at MAC auths nothing at all is showing for Entra in the Input -> Authorization Attributes section of requests hitting the service.

    We are running version 6.12.2.

    Entra has been added as an authorization source on the service

    Am I missing something?

    Thank you,

    Guy

     



  • 2.  RE: Using Entra as authorization source for Guest wifi login

    Posted 2 days ago

    Hi

    I have personally not tried the scenaro you are trying to implement.

    Do you have the MAC addresses in Entra ID? If so, is the MAC address format the same as the format of the string returned by %{Endpoint:Username}.

    userPrincipalName is normally in the format like firstname.lastname@domain.com, and I'm thinking in your case maybe macaddress@domain.com. If so you may need to add the domain suffix to the query like the one below. I have also added the comparison eq to the query.

    /users/?$select=mail,userPrincipalName,id,department,accountEnabled&$filter=userPrincipalName eq %{Endpoint:Username}@domain.com

    Try with both just adding the eq to the query and also add a UPN suffix.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------