Security

The client does not want to use Onboard so let think we dont cant use onboard here(take his in mid before asnwering)

Actual scenario

Student log in with their G suite account to the WIFI network

Ideal scenario

IT department wants that they can add or remove their own cellphones having a limit of 2 or 3 devices

We want to put the a portal with clearpass in which they will use have all their devices and they can freely add or remove their devices.

IT department wants to use their G suite credentiasl so they can log in this selft service webpage in which they show them all the their devices

I was thinking it was possible with SAML.   Its this possible with this? or with any other way?

Thanks

Anyone?

I know this is possible but if i use Active directory , but im not sure if i can do it with SSO and SAML with G Suite

Maybe a i could use the LDAP connector with this so i could get the authentication source which is how i do with Active directory... for now im trying to get something to test, as i just got G suite bussiness and not the enterprise i need...

If anyone knows please asnwer

I haven't tried what you are attempting, but have you seen this link? Might shed some light

https://community.arubanetworks.com/t5/Security/ClearPass-Configuration-Guide-Onboard-Cloud-Identity-Providers/td-p/301657

i already got that document, im trying to do that

the SLAM seems just for onboard, so im trying to see if i get a google account for enterprise to see if it works as i can use a ldap as an authentication source.  The problem right now is that i just got a google bussiness not google enterprise account and i need a google enterprise account to try.   Trying to get that with my manager.

But anyways if anyways if anyone of Aruba can confirm me if its possible what i want to do please do so, so i know its possible and im not wasting my time in something that is not possible

Hi,

You can configure the Google Secure LDAP Server as LDAP source for authorization only (it requires EAP-TLS), it does not support authentication.

You should be able to configure the Google IDP service for guest operator/registration authentication.

Follow the same Cloud Identity technote to configure SAML authentication (stats from page number 52). 

IDP - Google SAML

SP - ClearPass

Enable the SSO authentication for Guest instead of OnBoard.

Refer to the below configuration guide to use ClearPass as SP.

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_ViewDetails/Default.aspx?EntryId=24992

I think i was able to do it.

God bless your templates!!! i saw what was wrong with my config. I  used a template you got in there, saw the config and figured out what was wrong.   I just had to use SSO Role  instead of admin privileges,  in the enforcement profile.(im still learning the universe of clearpass so be patience with me)

Okay so now i can authenticate the user via SSO as you can see here

Now Actually like i said before they are authenticating with OATH v2.0 with G Suite.  That uses the Database in the endpoint for it and the social media repository.   Now with this ill be using the Guest repository as well.   At the end the one that will manage everything will be the Guest repository i believe

The client wants to achieve this:

1-Authenticate students with G suite(User and password of their email account)

2-Students can add, edit or delete the devices they have on their managing device page we give them(limit those devices to 2 or 3)

3-Student does not need to log in a captive portal everyday ( we use right now a mac caching and they dont need to do that, just like every week)

My questions are

1-The authentication will change from Oath 2.0 to SAML for what i want to achieve?

2-is there a way i can limit the number of devices a user can have on the guest repository like i did on the endpoint repository?

Thanks

Hi,

Yes, the auth will change to SAML for SSO.

You can restrict the number of accounts/devices, an operator can create under the operator profile (the same profile that you return as SSO Role). Navigation: ClearPass Guest >> Administration >> Operator Logins >> Profiles >> Edit your profile >> Account Limit.

---

@cdelarosa wrote:

My questions are

 

1-The authentication will change from Oath 2.0 to SAML for what i want to achieve?

2-is there a way i can limit the number of devices a user can have on the guest repository like i did on the endpoint repository?

 

Thanks

---

Another thing

If the student wants to log in the network,  if we want to achieve what they have right now,  which  is that they don't want that student need to log in everyday, they just want it per week(we have it with mac caching), its possible this way too?

this seems a lil tricky because i guess i would be using 2 different databases if i use the mac caching ( the guest repository and the end point repository, and both has to match the mac addresses or im wrong?

Hi,

Sorry, I did not get the requirement here. My earlier answers were to configure SSO auth for Students to register/manage their devices.

What is the exact requirement here?

Is this about the students registring their devices or allowing the students to complete layer 3 auth (read Captive-portal/guest-access) with MAC Caching for a Week?

You wrote:

"IT department wants that they can add or remove their own cellphones having a limit of 2 or 3 devices"

Hello Saravanan

The requirement are the fallowing:

1-The student must authenticate with google suite to log in the wifi network

2-The student must not have the the dificulty of having the re authenticate each day.   They might be able  to re authenticate every week or could be each year(the client was asking me to do this) im doing this right now with mac caching

3-The student must have a limit of 2 devices

4-The IT Department should be able to add more devices if they want to one user.  For example, if the user have a limit of 2 because that is the general rule, the IT department should be able to add  2 devices to that specific student if they want

5-the student must have a portal where he can add, edit or delete the devices he owns

Cheers

Carlos

It is confusing when you try to extend the device limit for non-registered guest users (using Gsuite account for login) + device registration. If you want to achieve this, then you have to force the students to register their devices first and then allow them to authenticate via a captive portal. 

But,

Why do you want device registration + captive portal auth?

And what is your plan for headless devices?

You can follow the title "ClearPass SP Configuration for Guest User Access" from the SAML Configuration guide for requirement #1. Just enable MAC caching and endpoint device limit to complete requirement #2 and 3.

Note: The Endpoint Unique device limit enforcement will restrict access to two specific devices. If you need the restriction based on unique sessions then follow - https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-limit-ClearPass-guest-concurrent-simultaneous-sessions/ta-p/303067

Thanks for your reply Saravanan

Lets forget about the captive portal part

Lets focus in the device registration only  and accessing that with G suite account( i already accomplished this)

if the user add a device, he add this device to the endpoint device repository, but if he deletes it, it does not deletes it!

I was thinkin in just using a mac authentication for all this

WPA2 personal + mac authentication + users doing their device administration on the device registratiion portal.

But now the problem i have is that, if the user deletes the device, it will not delete it from the endpoint repository

IF you got idea Saravanan im open to ideas too

The only requirement for the client is that nothing must be installed on student devices(like for example an onboard solution would do)

You have any idea why this rule does not work?

Why he integer is not valid, i mean its the same or it looks like the same.   The idea i had is that if the mac is on the guest device repository then give it access, if its not there, then do not give it access, but that doesnt seems to work either

Hi,

Try,
Authorization:[Guest Device Repository] >> Device Account Active == true

Use the authorization attribute,

SELECT
CASE WHEN expire_time is null or expire_time > now() THEN 'false'
ELSE 'true'
END AS is_expired,
CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled,
CASE WHEN (expire_time is null or expire_time > now()) and (start_time < now()) and (enabled = true) THEN 'true' ELSE 'false' END as is_active
FROM tips_guest_users
WHERE ((guest_type = 'DEVICE') AND (user_id = '%{Connection:Client-Mac-Address-Upper-Hyphen}') AND (app_name = 'Guest'))

Hi,

You may consider using the [Guest Device Repository] as an authentication source instead of relying on the Endpoint Repository.

---

@cdelarosa wrote:

Thanks for your reply Saravanan

Lets forget about the captive portal part

 

Lets focus in the device registration only  and accessing that with G suite account( i already accomplished this)

 

if the user add a device, he add this device to the endpoint device repository, but if he deletes it, it does not deletes it!

 

I was thinkin in just using a mac authentication for all this

 

WPA2 personal + mac authentication + users doing their device administration on the device registratiion portal.

 

But now the problem i have is that, if the user deletes the device, it will not delete it from the endpoint repository

 

IF you got idea Saravanan im open to ideas too

 

The only requirement for the client is that nothing must be installed on student devices(like for example an onboard solution would do)

---

thats the idea.

thats why i wanted to do what i posted in my previews post.   i havent tried it yet but as soon as i can i ll try

FYI - MAC authentication will pass for only active devices against [Guest Device Repository]. Devices with inactive/disabled/expired status will not pass the authentication. So, you may not need additional authorization checks.

It seems to work but im getting a weird error

In this case i got the user added on  the guest device repository.   If its there, he wll let the device in the wireless network, if he is not in the device repository, he will not let him get in the network because he will tell you user not found which is fine.    It working as expected, but im getting that error up, and also i dont know how he gets in the network because its telling there there that he is applying the reject profile! its just odd.

I also bealive the rule is configured here

Here is the enforcement rule which is really simple for now

Use auth method as [Mac Auth] and not the [Allow All Mac Auth] when the source is only Guest Device Repository.

The policy server error is expected when the attribute does not exist (i.e account not exist). In my opinion, you don't need the condition to check Account Active. Use the auth method [Mac Auth] and source [Guest Device Repository] and apply the enforcement based on [User Authenticated] role.

Note: Mac auth failure/reject will result in controller moving the client to initial role configured in the AAA profile. You may need to deny access to the initial role.