Security

Reply
Highlighted

SSO with SAML

The client does not want to use Onboard so let think we dont cant use onboard here(take his in mid before asnwering)

 

Actual scenario

Student log in with their G suite account to the WIFI network

 

Ideal scenario

IT department wants that they can add or remove their own cellphones having a limit of 2 or 3 devices

 

We want to put the a portal with clearpass in which they will use have all their devices and they can freely add or remove their devices.

IT department wants to use their G suite credentiasl so they can log in this selft service webpage in which they show them all the their devices

 

I was thinking it was possible with SAML.   Its this possible with this? or with any other way?

 

Thanks

 

 

 

----------------------------------------------------
Project engineer
Highlighted

Re: SSO with SAML

Anyone?

I know this is possible but if i use Active directory , but im not sure if i can do it with SSO and SAML with G Suite

----------------------------------------------------
Project engineer
Highlighted

Re: SSO with SAML

Maybe a i could use the LDAP connector with this so i could get the authentication source which is how i do with Active directory... for now im trying to get something to test, as i just got G suite bussiness and not the enterprise i need...

 

If anyone knows please asnwer

----------------------------------------------------
Project engineer
Highlighted
Frequent Contributor I

Re: SSO with SAML

I haven't tried what you are attempting, but have you seen this link? Might shed some light

 

https://community.arubanetworks.com/t5/Security/ClearPass-Configuration-Guide-Onboard-Cloud-Identity-Providers/td-p/301657

Chris Wickline | Network Engineer | York College of Pennsylvania
Highlighted

Re: SSO with SAML

i already got that document, im trying to do that

 

the SLAM seems just for onboard, so im trying to see if i get a google account for enterprise to see if it works as i can use a ldap as an authentication source.  The problem right now is that i just got a google bussiness not google enterprise account and i need a google enterprise account to try.   Trying to get that with my manager.

 

But anyways if anyways if anyone of Aruba can confirm me if its possible what i want to do please do so, so i know its possible and im not wasting my time in something that is not possible

----------------------------------------------------
Project engineer
Highlighted

Re: SSO with SAML

Hi,

 

You can configure the Google Secure LDAP Server as LDAP source for authorization only (it requires EAP-TLS), it does not support authentication.

 

You should be able to configure the Google IDP service for guest operator/registration authentication.

Follow the same Cloud Identity technote to configure SAML authentication (stats from page number 52). 

IDP - Google SAML

SP - ClearPass

 

Enable the SSO authentication for Guest instead of OnBoard.

Refer to the below configuration guide to use ClearPass as SP.

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_ViewDetails/Default.aspx?EntryId=24992


Thank you,
Saravanan

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted

Re: SSO with SAML

I think i was able to do it.

God bless your templates!!! i saw what was wrong with my config. I  used a template you got in there, saw the config and figured out what was wrong.   I just had to use SSO Role  instead of admin privileges,  in the enforcement profile.(im still learning the universe of clearpass so be patience with me)

 

Okay so now i can authenticate the user via SSO as you can see here

registro de dispositivos.JPG

 

Now Actually like i said before they are authenticating with OATH v2.0 with G Suite.  That uses the Database in the endpoint for it and the social media repository.   Now with this ill be using the Guest repository as well.   At the end the one that will manage everything will be the Guest repository i believe

 

The client wants to achieve this:

1-Authenticate students with G suite(User and password of their email account)

2-Students can add, edit or delete the devices they have on their managing device page we give them(limit those devices to 2 or 3)

3-Student does not need to log in a captive portal everyday ( we use right now a mac caching and they dont need to do that, just like every week)

 

 

My questions are

 

1-The authentication will change from Oath 2.0 to SAML for what i want to achieve?

2-is there a way i can limit the number of devices a user can have on the guest repository like i did on the endpoint repository?

 

Thanks

----------------------------------------------------
Project engineer
Highlighted

Re: SSO with SAML

Hi,

 

Yes, the auth will change to SAML for SSO.

You can restrict the number of accounts/devices, an operator can create under the operator profile (the same profile that you return as SSO Role). Navigation: ClearPass Guest >> Administration >> Operator Logins >> Profiles >> Edit your profile >> Account Limit.

 


@cdelarosa wrote:

My questions are

 

1-The authentication will change from Oath 2.0 to SAML for what i want to achieve?

2-is there a way i can limit the number of devices a user can have on the guest repository like i did on the endpoint repository?

 

Thanks


 


Thank you,
Saravanan

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted

Re: SSO with SAML

Another thing

If the student wants to log in the network,  if we want to achieve what they have right now,  which  is that they don't want that student need to log in everyday, they just want it per week(we have it with mac caching), its possible this way too?

this seems a lil tricky because i guess i would be using 2 different databases if i use the mac caching ( the guest repository and the end point repository, and both has to match the mac addresses or im wrong?

 

----------------------------------------------------
Project engineer
Highlighted

Re: SSO with SAML

Hi,

 

Sorry, I did not get the requirement here. My earlier answers were to configure SSO auth for Students to register/manage their devices.

 

What is the exact requirement here?

Is this about the students registring their devices or allowing the students to complete layer 3 auth (read Captive-portal/guest-access) with MAC Caching for a Week?

 

You wrote:

"IT department wants that they can add or remove their own cellphones having a limit of 2 or 3 devices"


Thank you,
Saravanan

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: