Security

Hello,

We have been using Azure SSO login to our ClearPass boxes for a long time - no problem here. 

We recently added support for Azure log-in for our Guest (all configured on ClearPass - so essentially added Azure from the dropdown list in the web login settings) users (for a specific set of users), this was working well too - but relied on being able to identify that the user logging in was a member of a particular Azure group.

We then (last week) played with using Azure as an authorization source so that we could check the account status during MAC auth as well as user auth - we gave up on this as we are running 6.11 and the functionality we want is in 6.12, we'll revisit once upgraded.

But now it seems that the groups aren't being retrieved successfully during User auth. Authentication works, but the groups are just shown as [null,null,null,.....] in Access Tracker and the Endpoint. I'm just wondering if this is a symptom anyone recognises? I have removed the test Azure Authentication source from Authorization sources in the MAC Auth service. I think things are back to how they were before the changes (though the test Azure authentication source still exists, it's just not referenced anywhere).

Any insight much appreciated.

Guy

Have not seen this, and [null,null,null], especially when the number matches the actual number of groups, may indicate a bug, too locked down permissions or so.

Just to be sure that I understand correctly what you try to do:

• Guest Captive Portal with MAC Caching
• Entra ID (Azure AD in 6.11) authorization source in the MAC authentication service used for the MAC caching, where you want to look up the cached username.

May I ask how you adapted the Entra ID authorization source to use the cached username, instead of the default of the client MAC address? Without testing, it should be something like %{Endpoint:Username}; and use a separate authorization source.

After reverting the changes, does the group retrieval for the User Auth work again?

If the above does not help, it may be good to work with TAC as null means 'no value' in programming and may indicate an unforeseen condition or error in the code.

Hello,

We have been using Azure SSO login to our ClearPass boxes for a long time - no problem here. 

We recently added support for Azure log-in for our Guest (all configured on ClearPass - so essentially added Azure from the dropdown list in the web login settings) users (for a specific set of users), this was working well too - but relied on being able to identify that the user logging in was a member of a particular Azure group.

We then (last week) played with using Azure as an authorization source so that we could check the account status during MAC auth as well as user auth - we gave up on this as we are running 6.11 and the functionality we want is in 6.12, we'll revisit once upgraded.

But now it seems that the groups aren't being retrieved successfully during User auth. Authentication works, but the groups are just shown as [null,null,null,.....] in Access Tracker and the Endpoint. I'm just wondering if this is a symptom anyone recognises? I have removed the test Azure Authentication source from Authorization sources in the MAC Auth service. I think things are back to how they were before the changes (though the test Azure authentication source still exists, it's just not referenced anywhere).

Any insight much appreciated.

Guy

Hello Herman,

• Guest Captive Portal with MAC Caching
• Entra ID (Azure AD in 6.11) authorization source in the MAC authentication service used for the MAC caching, where you want to look up the cached username.

Yes Guest with MAC Caching, Azure added as a social auth method. I was working with a guy from Aruba who often helps us. This all worked (including group retrieval) until a couple of weeks ago - _probably_ coinciding with us trying to add Azure as an authorization source on the MAC Auth service (but hard to be sure about that). I've removed it now but still no joy.

The Azure authentication source that we use for authorization has this query:

users/?select=mail,userPrincipalName,id,department,accountEnabled&$filter=userPrincipalName%{Endpoint:Username} /users/{id}/memberOf?select=displayName

We know authorization isn't going to work until we upgrade to 6.12, that's not a problem.

It feels like a permissions issue - when we were playing with using it as an authorization source we asked our Entra/Azure team to update permissions to this:

Looking at other posts this seems to be enough? Though in one doc it mentions Microsoft Graph Application.Read.All

I've asked them to revert to the settings we had before but they aren't convinced. I think I will press them a little harder, I just want to rule it out.

Have not seen this, and [null,null,null], especially when the number matches the actual number of groups, may indicate a bug, too locked down permissions or so.

Just to be sure that I understand correctly what you try to do:

• Guest Captive Portal with MAC Caching
• Entra ID (Azure AD in 6.11) authorization source in the MAC authentication service used for the MAC caching, where you want to look up the cached username.

May I ask how you adapted the Entra ID authorization source to use the cached username, instead of the default of the client MAC address? Without testing, it should be something like %{Endpoint:Username}; and use a separate authorization source.

After reverting the changes, does the group retrieval for the User Auth work again?

If the above does not help, it may be good to work with TAC as null means 'no value' in programming and may indicate an unforeseen condition or error in the code.

Hello,

We have been using Azure SSO login to our ClearPass boxes for a long time - no problem here. 

We recently added support for Azure log-in for our Guest (all configured on ClearPass - so essentially added Azure from the dropdown list in the web login settings) users (for a specific set of users), this was working well too - but relied on being able to identify that the user logging in was a member of a particular Azure group.

We then (last week) played with using Azure as an authorization source so that we could check the account status during MAC auth as well as user auth - we gave up on this as we are running 6.11 and the functionality we want is in 6.12, we'll revisit once upgraded.

But now it seems that the groups aren't being retrieved successfully during User auth. Authentication works, but the groups are just shown as [null,null,null,.....] in Access Tracker and the Endpoint. I'm just wondering if this is a symptom anyone recognises? I have removed the test Azure Authentication source from Authorization sources in the MAC Auth service. I think things are back to how they were before the changes (though the test Azure authentication source still exists, it's just not referenced anywhere).

Any insight much appreciated.

Guy

- update - the Entra guy reverted our app to be Groups and delegated User.Read permissions. But this doesn't seem to have helped at all.

Hello Herman,

• Guest Captive Portal with MAC Caching
• Entra ID (Azure AD in 6.11) authorization source in the MAC authentication service used for the MAC caching, where you want to look up the cached username.

Yes Guest with MAC Caching, Azure added as a social auth method. I was working with a guy from Aruba who often helps us. This all worked (including group retrieval) until a couple of weeks ago - _probably_ coinciding with us trying to add Azure as an authorization source on the MAC Auth service (but hard to be sure about that). I've removed it now but still no joy.

The Azure authentication source that we use for authorization has this query:

users/?select=mail,userPrincipalName,id,department,accountEnabled&$filter=userPrincipalName%{Endpoint:Username} /users/{id}/memberOf?select=displayName

We know authorization isn't going to work until we upgrade to 6.12, that's not a problem.

It feels like a permissions issue - when we were playing with using it as an authorization source we asked our Entra/Azure team to update permissions to this:

Looking at other posts this seems to be enough? Though in one doc it mentions Microsoft Graph Application.Read.All

I've asked them to revert to the settings we had before but they aren't convinced. I think I will press them a little harder, I just want to rule it out.

Have not seen this, and [null,null,null], especially when the number matches the actual number of groups, may indicate a bug, too locked down permissions or so.

Just to be sure that I understand correctly what you try to do:

• Guest Captive Portal with MAC Caching
• Entra ID (Azure AD in 6.11) authorization source in the MAC authentication service used for the MAC caching, where you want to look up the cached username.

May I ask how you adapted the Entra ID authorization source to use the cached username, instead of the default of the client MAC address? Without testing, it should be something like %{Endpoint:Username}; and use a separate authorization source.

After reverting the changes, does the group retrieval for the User Auth work again?

If the above does not help, it may be good to work with TAC as null means 'no value' in programming and may indicate an unforeseen condition or error in the code.

Hello,

We have been using Azure SSO login to our ClearPass boxes for a long time - no problem here. 

We recently added support for Azure log-in for our Guest (all configured on ClearPass - so essentially added Azure from the dropdown list in the web login settings) users (for a specific set of users), this was working well too - but relied on being able to identify that the user logging in was a member of a particular Azure group.

We then (last week) played with using Azure as an authorization source so that we could check the account status during MAC auth as well as user auth - we gave up on this as we are running 6.11 and the functionality we want is in 6.12, we'll revisit once upgraded.

But now it seems that the groups aren't being retrieved successfully during User auth. Authentication works, but the groups are just shown as [null,null,null,.....] in Access Tracker and the Endpoint. I'm just wondering if this is a symptom anyone recognises? I have removed the test Azure Authentication source from Authorization sources in the MAC Auth service. I think things are back to how they were before the changes (though the test Azure authentication source still exists, it's just not referenced anywhere).

Any insight much appreciated.

Guy

Still struggling with this. It's very odd because previously we _were_ seeing the groups in Computed Attributes. Is there an Aruba doc about this?

I don't know where there are settings I can play with for this, other than in the Azure settings in the web login config. We have "Retrieve the group memberships for the guest's account" ticked.

In the Tenant field we have our tenant ID. I tried changing that to 'common', but appears to make no difference.
Is there a way to see in the logs what ClearPass is sending and receiving to/from Entra? I saw that there's a "Log debugging data" option, if I enable this where do I then find the extra logging? Is that likely to help?

Thank you,

Guy

- update - the Entra guy reverted our app to be Groups and delegated User.Read permissions. But this doesn't seem to have helped at all.

Hello Herman,

• Guest Captive Portal with MAC Caching
• Entra ID (Azure AD in 6.11) authorization source in the MAC authentication service used for the MAC caching, where you want to look up the cached username.

Yes Guest with MAC Caching, Azure added as a social auth method. I was working with a guy from Aruba who often helps us. This all worked (including group retrieval) until a couple of weeks ago - _probably_ coinciding with us trying to add Azure as an authorization source on the MAC Auth service (but hard to be sure about that). I've removed it now but still no joy.

The Azure authentication source that we use for authorization has this query:

users/?select=mail,userPrincipalName,id,department,accountEnabled&$filter=userPrincipalName%{Endpoint:Username} /users/{id}/memberOf?select=displayName

We know authorization isn't going to work until we upgrade to 6.12, that's not a problem.

It feels like a permissions issue - when we were playing with using it as an authorization source we asked our Entra/Azure team to update permissions to this:

Looking at other posts this seems to be enough? Though in one doc it mentions Microsoft Graph Application.Read.All

I've asked them to revert to the settings we had before but they aren't convinced. I think I will press them a little harder, I just want to rule it out.

Have not seen this, and [null,null,null], especially when the number matches the actual number of groups, may indicate a bug, too locked down permissions or so.

Just to be sure that I understand correctly what you try to do:

• Guest Captive Portal with MAC Caching
• Entra ID (Azure AD in 6.11) authorization source in the MAC authentication service used for the MAC caching, where you want to look up the cached username.

May I ask how you adapted the Entra ID authorization source to use the cached username, instead of the default of the client MAC address? Without testing, it should be something like %{Endpoint:Username}; and use a separate authorization source.

After reverting the changes, does the group retrieval for the User Auth work again?

If the above does not help, it may be good to work with TAC as null means 'no value' in programming and may indicate an unforeseen condition or error in the code.

Hello,

We have been using Azure SSO login to our ClearPass boxes for a long time - no problem here. 

We recently added support for Azure log-in for our Guest (all configured on ClearPass - so essentially added Azure from the dropdown list in the web login settings) users (for a specific set of users), this was working well too - but relied on being able to identify that the user logging in was a member of a particular Azure group.

We then (last week) played with using Azure as an authorization source so that we could check the account status during MAC auth as well as user auth - we gave up on this as we are running 6.11 and the functionality we want is in 6.12, we'll revisit once upgraded.

But now it seems that the groups aren't being retrieved successfully during User auth. Authentication works, but the groups are just shown as [null,null,null,.....] in Access Tracker and the Endpoint. I'm just wondering if this is a symptom anyone recognises? I have removed the test Azure Authentication source from Authorization sources in the MAC Auth service. I think things are back to how they were before the changes (though the test Azure authentication source still exists, it's just not referenced anywhere).

Any insight much appreciated.

Guy

Logging would likely be buried in the appliance logs to be downloaded as an archive.

I'd recommend opening a case with TAC at this point to assist with getting the debug setup and interpreted.

Still struggling with this. It's very odd because previously we _were_ seeing the groups in Computed Attributes. Is there an Aruba doc about this?

I don't know where there are settings I can play with for this, other than in the Azure settings in the web login config. We have "Retrieve the group memberships for the guest's account" ticked.

In the Tenant field we have our tenant ID. I tried changing that to 'common', but appears to make no difference.
Is there a way to see in the logs what ClearPass is sending and receiving to/from Entra? I saw that there's a "Log debugging data" option, if I enable this where do I then find the extra logging? Is that likely to help?

Thank you,

Guy

- update - the Entra guy reverted our app to be Groups and delegated User.Read permissions. But this doesn't seem to have helped at all.

Hello Herman,

• Guest Captive Portal with MAC Caching
• Entra ID (Azure AD in 6.11) authorization source in the MAC authentication service used for the MAC caching, where you want to look up the cached username.

Yes Guest with MAC Caching, Azure added as a social auth method. I was working with a guy from Aruba who often helps us. This all worked (including group retrieval) until a couple of weeks ago - _probably_ coinciding with us trying to add Azure as an authorization source on the MAC Auth service (but hard to be sure about that). I've removed it now but still no joy.

The Azure authentication source that we use for authorization has this query:

users/?select=mail,userPrincipalName,id,department,accountEnabled&$filter=userPrincipalName%{Endpoint:Username} /users/{id}/memberOf?select=displayName

We know authorization isn't going to work until we upgrade to 6.12, that's not a problem.

It feels like a permissions issue - when we were playing with using it as an authorization source we asked our Entra/Azure team to update permissions to this:

Looking at other posts this seems to be enough? Though in one doc it mentions Microsoft Graph Application.Read.All

I've asked them to revert to the settings we had before but they aren't convinced. I think I will press them a little harder, I just want to rule it out.

Have not seen this, and [null,null,null], especially when the number matches the actual number of groups, may indicate a bug, too locked down permissions or so.

Just to be sure that I understand correctly what you try to do:

• Guest Captive Portal with MAC Caching
• Entra ID (Azure AD in 6.11) authorization source in the MAC authentication service used for the MAC caching, where you want to look up the cached username.

May I ask how you adapted the Entra ID authorization source to use the cached username, instead of the default of the client MAC address? Without testing, it should be something like %{Endpoint:Username}; and use a separate authorization source.

After reverting the changes, does the group retrieval for the User Auth work again?

If the above does not help, it may be good to work with TAC as null means 'no value' in programming and may indicate an unforeseen condition or error in the code.

Hello,

We have been using Azure SSO login to our ClearPass boxes for a long time - no problem here. 

We recently added support for Azure log-in for our Guest (all configured on ClearPass - so essentially added Azure from the dropdown list in the web login settings) users (for a specific set of users), this was working well too - but relied on being able to identify that the user logging in was a member of a particular Azure group.

We then (last week) played with using Azure as an authorization source so that we could check the account status during MAC auth as well as user auth - we gave up on this as we are running 6.11 and the functionality we want is in 6.12, we'll revisit once upgraded.

But now it seems that the groups aren't being retrieved successfully during User auth. Authentication works, but the groups are just shown as [null,null,null,.....] in Access Tracker and the Endpoint. I'm just wondering if this is a symptom anyone recognises? I have removed the test Azure Authentication source from Authorization sources in the MAC Auth service. I think things are back to how they were before the changes (though the test Azure authentication source still exists, it's just not referenced anywhere).

Any insight much appreciated.

Guy

At the last minute (was just about to open a TAC case as you suggested) we got there. With debugging enabled in the Web Login social settings I could see the query that was being run and when I showed that to the Entra team they realised that we had permissions set for "Application" Group.Read.All not "Delegated" Group.Read.All. Once it was set to Delegated it started working again. 

Logging would likely be buried in the appliance logs to be downloaded as an archive.

I'd recommend opening a case with TAC at this point to assist with getting the debug setup and interpreted.

Still struggling with this. It's very odd because previously we _were_ seeing the groups in Computed Attributes. Is there an Aruba doc about this?

I don't know where there are settings I can play with for this, other than in the Azure settings in the web login config. We have "Retrieve the group memberships for the guest's account" ticked.

In the Tenant field we have our tenant ID. I tried changing that to 'common', but appears to make no difference.
Is there a way to see in the logs what ClearPass is sending and receiving to/from Entra? I saw that there's a "Log debugging data" option, if I enable this where do I then find the extra logging? Is that likely to help?

Thank you,

Guy

- update - the Entra guy reverted our app to be Groups and delegated User.Read permissions. But this doesn't seem to have helped at all.

Hello Herman,

• Guest Captive Portal with MAC Caching
• Entra ID (Azure AD in 6.11) authorization source in the MAC authentication service used for the MAC caching, where you want to look up the cached username.

Yes Guest with MAC Caching, Azure added as a social auth method. I was working with a guy from Aruba who often helps us. This all worked (including group retrieval) until a couple of weeks ago - _probably_ coinciding with us trying to add Azure as an authorization source on the MAC Auth service (but hard to be sure about that). I've removed it now but still no joy.

The Azure authentication source that we use for authorization has this query:

users/?select=mail,userPrincipalName,id,department,accountEnabled&$filter=userPrincipalName%{Endpoint:Username} /users/{id}/memberOf?select=displayName

We know authorization isn't going to work until we upgrade to 6.12, that's not a problem.

It feels like a permissions issue - when we were playing with using it as an authorization source we asked our Entra/Azure team to update permissions to this:

Looking at other posts this seems to be enough? Though in one doc it mentions Microsoft Graph Application.Read.All

I've asked them to revert to the settings we had before but they aren't convinced. I think I will press them a little harder, I just want to rule it out.

Have not seen this, and [null,null,null], especially when the number matches the actual number of groups, may indicate a bug, too locked down permissions or so.

Just to be sure that I understand correctly what you try to do:

• Guest Captive Portal with MAC Caching
• Entra ID (Azure AD in 6.11) authorization source in the MAC authentication service used for the MAC caching, where you want to look up the cached username.

May I ask how you adapted the Entra ID authorization source to use the cached username, instead of the default of the client MAC address? Without testing, it should be something like %{Endpoint:Username}; and use a separate authorization source.

After reverting the changes, does the group retrieval for the User Auth work again?

If the above does not help, it may be good to work with TAC as null means 'no value' in programming and may indicate an unforeseen condition or error in the code.

Hello,

We have been using Azure SSO login to our ClearPass boxes for a long time - no problem here. 

We recently added support for Azure log-in for our Guest (all configured on ClearPass - so essentially added Azure from the dropdown list in the web login settings) users (for a specific set of users), this was working well too - but relied on being able to identify that the user logging in was a member of a particular Azure group.

We then (last week) played with using Azure as an authorization source so that we could check the account status during MAC auth as well as user auth - we gave up on this as we are running 6.11 and the functionality we want is in 6.12, we'll revisit once upgraded.

But now it seems that the groups aren't being retrieved successfully during User auth. Authentication works, but the groups are just shown as [null,null,null,.....] in Access Tracker and the Endpoint. I'm just wondering if this is a symptom anyone recognises? I have removed the test Azure Authentication source from Authorization sources in the MAC Auth service. I think things are back to how they were before the changes (though the test Azure authentication source still exists, it's just not referenced anywhere).

Any insight much appreciated.

Guy