Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Configuration Guide: Onboard + Cloud Identity Providers

This thread has been viewed 363 times

  • 1.  ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    EMPLOYEE
    Posted Jul 10, 2017 05:52 PM

    Team Aruba,

     

    We’re happy to announce an update to the ClearPass Configuration Guide for Onboard + Cloud Identity Providers. Version 2018-01 adds configuration details for Google's new Secure LDAP service for real-time authorization against Google Cloud Identity / G Suite in policy.

     

    This configuration guide is very focused and covers:

    • creating the required application in the cloud identity provider
    • configuring the ClearPass SAML Service Provider and OAuth 2.0 Relying Party
    • onboard provisioning settings changes required for SAML and OAuth 2.0
    • customizing the ClearPass SSO dictionary
    • building a SAML pre-authentication service for Onboard
    • using OAuth 2.0 return attributes in a role map and/or network access policy
    • Azure Active Directory, Google Cloud Identity / G Suite and Okta identity providers
    • Google Secure LDAP Connector for real-time authorization

     

    *see below for updated document link*

     

    Feedback always welcome!

     

    Enjoy!

     

    - Aruba Security Team



  • 2.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    Posted Apr 19, 2018 04:03 PM

    As usual whenever I have a question, it seems you've already answered it.  Thanks yet again!!



  • 3.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    Posted Dec 21, 2018 05:16 PM

    Is there a required version level that supports this integration?



  • 4.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    Posted Mar 25, 2019 11:35 AM
    Thanks for working up this guide, great info! Are there plans to add support for Azure Secure LDAP as there is for Google?


  • 5.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    EMPLOYEE
    Posted Mar 25, 2019 11:38 AM
    Azure Active Directory does not have an LDAP interface by design.


  • 6.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    Posted Mar 25, 2019 11:48 AM

    Ah, but htey have a guide for setting up secure LDAP:

    https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap

    which makes the integration seem possible.



  • 7.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    EMPLOYEE
    Posted Mar 25, 2019 11:50 AM
    That is AAD DS, not AAD. We have no plans to support AAD DS as it is only a transitionary offering from Microsoft.


  • 8.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    Posted Apr 03, 2019 07:03 AM

    Here at ATMOSPHERE19 , attended your last session on Deep Dive: Auth Technologies. Great job , thank you.

     

    To my question. I am trying to decide if I should use SAML or OAuth2.0. I am trying to avoid 802.1X on a Macosx enverionment, having to many issues with bluetooth and 802.1X, turn it on and off is not a solution for my users. If I use SAML with Gsuite workflow, will that still require 802.1X ?

     

    Thank you in Adv.

     



  • 9.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    Posted Jun 25, 2019 04:22 PM
    Hello on this page you mention Okta as an id source is depreciated, but it is still a source described in this Config guide and available in CPPM.

    Can you please confirm if this will be depreciated in future releases of CPPM?

    And if so why is it being depreciated?

    Okta is increasingly becoming more and more the iDP for everything, best at it in the industry..


  • 10.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    EMPLOYEE
    Posted Jun 25, 2019 04:26 PM

    The Okta-specific auth source that is part of the CPPM auth source list is deprecated and no longer works. Okta is fully supported as described in the document.



  • 11.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    Posted Jun 25, 2019 04:38 PM

    Hi thank you.  I am not a CPPM user, more an ID guy, so just making sense of the terminology used here and use case.  I want to configure Okta as the SSO iDP provider for our CPPM users/admins to sign in and manage CPPM.  The configuration guide describes the use of Okta for "Onboard enrollemnt"  Are we talking about the same thing here?

     

    • Primarily i was to integrate Okta for administrator signin to CPPM.

    "Okta Okta is a popular cloud identity management solution and ClearPass can leverage it as a SAML Identity Provider for Onboard enrollment."

     

    In saying that, is Okta also being described here as a authentication source for endpoints, wifi etc - in which case we could also make use of that!



  • 12.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    EMPLOYEE
    Posted Jun 25, 2019 04:52 PM
    The process is very similar for CPPM Admin SP, yes.



    Regarding network authentication, Okta is used a IdP to validate identity prior to certificate issuance.


  • 13.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    Posted Jan 23, 2021 08:37 AM
    Hi Tim,

    The document link is leading to the old Support Portal, is it available anywhere else (couldn't locate it in the new ASP)? Thanks.

    ------------------------------
    [NesaM - ACMP|ACCP|ACDP]
    ------------------------------

    Original Message


  • 14.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    MVP
    Posted Jan 23, 2021 06:27 PM
    It's on ASP...

    https://asp.arubanetworks.com/downloads/documents/RmlsZTo0NDZlZmM1NC1lNmZiLTExZWEtYjE5OC04Nzc5YzY0NjgwOGY%3D

    https://support.hpe.com/hpesc/public/docDisplay?docId=a00091071en_us


    ------------------------------
    Danny Jump
    "Passionate about CPPM"
    ------------------------------

    Original Message


  • 15.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    Posted Jan 24, 2021 12:29 PM
    Thanks Danny! Don't know how I couldn't see it :-)

    ------------------------------
    [NesaM - ACMP|ACCP|ACDP]
    ------------------------------

    Original Message


  • 16.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    EMPLOYEE
    Posted Jan 25, 2021 04:23 AM
    As a reminder, all most recent versions of documentation for ClearPass are listed on https://www.arubanetworks.com/clearpassdocs.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 17.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    EMPLOYEE
    Posted Mar 05, 2021 10:43 AM
      |   view attached
    attached is updated file. 

    Thank you! 
    Greg Weaver
    Community Admin

    ------------------------------
    Greg Weaver
    Airheads Community Admin
    ------------------------------

    Original Message


  • 18.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    Posted Feb 24, 2022 02:43 PM
    Hi Cappalli.
    can i do the same with a guest portal, not onboard?

    ------------------------------
    Ra�l Ortega
    ------------------------------

    Original Message


  • 19.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    EMPLOYEE
    Posted Feb 28, 2022 11:10 AM
    Yes, you can do SSO with a Cloud Identity provider to the ClearPass Guest or ClearPass Guest Operator pages. Just disable the Onboard action at that point; in fact the described Onboarding is just a more advanced way of doing Cloud Identity logins.

    Your Aruba partner or TAC can probably assist you in getting that configured.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 20.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    Posted Apr 26, 2022 01:27 PM
    Hi Herman, thank you for your response, I have a question. in the document HPE_a00091071en_us_ClearPass Onboard and Cloud Identity P...pdf 
    the service that it use is obviously for onboard, this:
    Aruba Application Authorization
    Application                       Name                   EQUALS                Onboard
    Authentication                 Type                     EQUALS                SSO
    Application:ClearPass     Device-Name       NOT_EXISTS         
    in my case where i don´t want to do this with onboard (guest portal for contractor) what type  of service do i need?, Aruba application Authorization with only this rule?
    Authentication                 Type                     EQUALS                SSO

    can you guide me about it please



    ------------------------------
    Alejandro Meza
    ------------------------------

    Original Message


  • 21.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    Posted Jun 27, 2022 11:35 PM
    Alejandro - did you ever figure this out? I am in the same spot as you, I need to use the SSO/Onboard procedures but apply them to a Guest/Captive Portal authentication scenario.
    Original Message


  • 22.  RE: ClearPass Configuration Guide: Onboard + Cloud Identity Providers

    Posted Jun 28, 2022 09:29 AM
    Hi.
    Yes i coul resolve it.
    you need:
    One application authorization service for the SAML 
    like this
    Service:
    Name:
    sso-saml
    Description:
    Authorization Service for Applications
    Type:
    Aruba Application Authorization
    Status:
    Enabled
    Monitor Mode:
    Disabled
    More Options:
    Authorization
    Service Rule
    Match ANY of the following conditions:
     TypeNameOperatorValue
    1.AuthenticationTypeEQUALSSSO

    And other service por the radius authentication
    like this
    image.png

    and in the clearpass cative portal page you need pre auth check with single sing on
    image.png


    image.png


    Atte.
    Raúl Ortega


    Libre de virus. www.avast.com



    Original Message