I followed your method and found that some traffic was blocked!I have added two URLs that are allowed to access in the pre onboard role.The login page displays normally.
Original Message:
Sent: Jun 26, 2024 04:18 AM
From: Herman Robers
Subject: Integration of ClearPass and Azure Saml
If you have a full-featured browser, you could use Wireshark or the developer tools (network trace) in the browser to find out what traffic is blocked.
I'd normally use a guest portal, and first get full internet access to avoid this situation; but if you know what is blocked, you could make it specifically available. Make sure you have all certificates trusted (ClearPass, for captive portal your APs/controllers/gateways as well), and that the Onboarding process happens in a full browser, not the automatic captive portal popup.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jun 24, 2024 09:38 AM
From: tanxiaofeng
Subject: Integration of ClearPass and Azure Saml
I tested using a fully functional browser and the situation remained the same. The page redirected to login.microsoftonline.com still showed blank.
The URL mentioned in the cloud integration document is already allowed in the role.
Here is my configuration:
wlan access-rule pre-onboard
index 4
rule any any match udp 53 53 permit
rule any any match udp 67 68 permit
rule any any match icmp any any permit
rule alias clearpass.sscxtech.info match tcp 443 443 permit //allow to cppm
rule alias clearpass.sscxtech.info match tcp 80 80 permit //allow to cppm
rule alias login.microsoftonline.com match tcp 443 443 permit //allow to cloud login
rule alias *.aadcdn.microsoftonline-p.com match tcp 80 80 permit //allow to cloud login
rule alias *.aadcdn.microsoftonline-p.com match tcp 443 443 permit //allow to cloud login
wlan external-captive-portal cppm
server clearpass.sscxtech.info
port 443
url "/onboard/device_provisioning_2.php"
auth-text ""
auto-whitelist-disable
https
wlan ssid-profile JYBY-office-onboard
enable
index 1
type guest
essid JYBY-office-onboard
utf8
opmode opensystem
max-authentication-failures 0
vlan 128
auth-server cppm
set-role-pre-auth pre-onboard
rf-band all
captive-portal external profile cppm
dtim-period 1
broadcast-filter arp
blacklist
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 128
Original Message:
Sent: Jun 24, 2024 08:48 AM
From: Herman Robers
Subject: Integration of ClearPass and Azure Saml
Please be aware that for Onboarding, you cannot use a captive-portal (or at least not the automatic popup after you connect). You would need to have a full-featured browser, as listed in the documentation.
Also you would need the microsoft login servers allowed in the access role used during onboarding, so if the page is not loading, double-check the role assigned and if the sites are allowed. I have not checked, but this should be mentioned in the tech note / documentation for Cloud Identity and Onboarding that you were following.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jun 24, 2024 02:32 AM
From: tanxiaofeng
Subject: Integration of ClearPass and Azure Saml
Yes, I missed the application access service for onboard. After adding the application access service for onboard, Windows computers can run the onboard process normally.
But I have encountered a new problem. Android and iOS devices cannot redirect to the login.microsoftonline.com page during onboard operations, displaying a blank page, while Windows computers can display it normally.
Original Message:
Sent: Jun 21, 2024 01:34 PM
From: mattAruba
Subject: Integration of ClearPass and Azure Saml
Ahh, you need a Application Access service for Onboard. This is covered in the Airheads broadcasting video Onboard#2 https://www.youtube.com/watch?v=8XtleXO5t64&list=PLsYGHuNuBZcb0xD05v9zdwv7NlUG_8oJS&index=54
Original Message:
Sent: Jun 20, 2024 01:09 PM
From: tanxiaofeng
Subject: Integration of ClearPass and Azure Saml
Hi,
How do I determine if Windows installation files require administrator privileges? What aspects do I need to check from?
In the application log, I found two types of errors,as shown below
Original Message:
Sent: Jun 20, 2024 12:37 PM
From: mattAruba
Subject: Integration of ClearPass and Azure Saml
Here it seems like the SAML part went through fine but the device provisioning using quickconnect ran into some issue. Does the windows machine require admin privileges to install the profile?
Any errors in the application logs on the guest side under Guest > Administration > SUpport > Application Log ?
Original Message:
Sent: Jun 20, 2024 11:18 AM
From: tanxiaofeng
Subject: Integration of ClearPass and Azure Saml
Hi Guys,
I am currently implementing integration of ClearPass and Azure Saml to achieve 802.1x authentication,I referred to the document "Onboard and Cloud Identity Providers "for configuring Azure AD and clearpass. After completing the configuration, when I was testing, the client encountered an error while running quickconnect.
The quickconnect' logs as shown below:
Client Log
==========
2024-06-20 20:23:55,585 [main] DEBUG Quick1X.QuickConnectDlg - Starting configuration.
2024-06-20 20:23:55,585 [main] DEBUG changelog - Starting configuration for secure network connections.
2024-06-20 20:23:55,585 [main] DEBUG Quick1X.Util - Attempting operating system detection.
2024-06-20 20:23:55,585 [main] DEBUG Quick1X.Util - running Windows Enterprise Version
2024-06-20 20:23:55,585 [main] DEBUG Quick1X.Util - Detected operating system higher than Windows XP
2024-06-20 20:23:55,585 [main] DEBUG Quick1X.WlanApi - Initializing wlan api.
2024-06-20 20:23:55,585 [main] DEBUG Quick1X.Config - Initing configuration.
2024-06-20 20:23:55,585 [main] DEBUG Quick1X.Config - QuickConnect Mode isonboard
2024-06-20 20:23:56,239 [main] DEBUG Quick1X.QuickConnectDlg - Calling javascript method : updateWorkingDirectory
2024-06-20 20:23:59,875 [main] DEBUG Quick1X.QuickConnectDlg - Calling javascript method : updateQcMode
2024-06-20 20:23:59,885 [main] DEBUG Quick1X.QuickConnectDlg - Processing configure
2024-06-20 20:23:59,885 [null] DEBUG Quick1X.QuickConnectDlg - Processsing configure task
2024-06-20 20:23:59,885 [null] DEBUG Quick1X.QuickConnectDlg - Fetching the configuration and certificate from the Onboard Server
2024-06-20 20:23:59,885 [null] DEBUG Quick1X.QuickConnectDlg - Initing device info
2024-06-20 20:23:59,885 [null] DEBUG Quick1X.DeviceInfo - Starting interface detection
2024-06-20 20:23:59,885 [null] DEBUG Quick1X.Util - Running config task as logged in user
2024-06-20 20:24:00,060 [null] DEBUG Quick1X.Util - Exit code from execed process 0
2024-06-20 20:24:00,061 [null] DEBUG Quick1X.DeviceInfo - Checking interface :VPN Client Adapter - VPN
2024-06-20 20:24:00,061 [null] DEBUG Quick1X.DeviceInfo - Interface Type :53
2024-06-20 20:24:00,061 [null] DEBUG Quick1X.DeviceInfo - Interface state :2
2024-06-20 20:24:00,061 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Microsoft Wi-Fi Direct Virtual Adapter
2024-06-20 20:24:00,061 [null] DEBUG Quick1X.DeviceInfo - Interface Type :71
2024-06-20 20:24:00,061 [null] DEBUG Quick1X.DeviceInfo - Interface state :2
2024-06-20 20:24:00,061 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Microsoft Wi-Fi Direct Virtual Adapter
2024-06-20 20:24:00,061 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Microsoft Wi-Fi Direct Virtual Adapter
2024-06-20 20:24:00,061 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Microsoft Wi-Fi Direct Virtual Adapter #2
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Interface Type :71
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Interface state :2
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Microsoft Wi-Fi Direct Virtual Adapter #2
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Microsoft Wi-Fi Direct Virtual Adapter #2
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Intel(R) Wi-Fi 6 AX201 160MHz
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Interface Type :71
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Interface state :1
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Intel(R) Wi-Fi 6 AX201 160MHz
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Trying to filter (Unicode) :Intel(R) Wi-Fi 6 AX201 160MHz
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Adapter GUID:E46683CF-C2F1-4795-AECB-BD96431C3B9D
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Description: Intel(R) Wi-Fi 6 AX201 160MHz
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Name: WLAN
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - State: CONNECTED
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - DHCP : Enabled
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - DNS Registration: Enabled
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - DNS by DHCP: Enabled
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - MAC Address: 54:6C:EB:9D:6A:A7
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Interface type : Wireless
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Bluetooth Device (Personal Area Network)
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Interface Type :6
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Interface state :2
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Trying to filter :Bluetooth Device (Personal Area Network)
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Discarding interface : Bluetooth Device (Personal Area Network)
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Checking interface :Software Loopback Interface 1
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Interface Type :24
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.DeviceInfo - Interface state :1
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.QuickConnectDlg - GetDeviceCredentials: Downloading device credentials from the Onboard server - https://clearpass.sscxtech.info/onboard/mdps_qc_enroll.php
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.QuickConnectDlg - GetDeviceCredentials: Checking whether bypass proxy is false or true
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.QuickConnectDlg - GetDeviceCredentials: Bypass proxy is false
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.QuickConnectDlg - GetDeviceCredentials: Onboard server Host Name clearpass.sscxtech.info
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.QuickConnectDlg - GetDeviceCredentials: Onboard server URL Path /onboard/mdps_qc_enroll.php
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.QuickConnectDlg - GetDeviceCredentials: Retrieving value of Validate-Server-Certificate option
2024-06-20 20:24:00,065 [null] INFO Quick1X.QuickConnectDlg - Disabling Onboard server certificate validation
2024-06-20 20:24:00,065 [null] DEBUG Quick1X.QuickConnectDlg - Detected Windows version - Windows 10
2024-06-20 20:24:00,156 [null] ERROR Quick1X.QuickConnectDlg - GetDeviceCredentials: Received error HTTP Status code - 403
2024-06-20 20:24:00,156 [null] DEBUG Quick1X.Util - Running config task as logged in user
Script Log
==========
2024/6/20 20:18:57 Adapter type detect starting
2024/6/20 20:18:57 VPN Client Adapter - VPN Type: 0
2024/6/20 20:18:57 Intel(R) Wi-Fi 6 AX201 160MHz Type: 9
2024/6/20 20:18:57 Bluetooth Device (Personal Area Network) Type: 10
2024/6/20 20:18:57 Microsoft Wi-Fi Direct Virtual Adapter Type: 9
2024/6/20 20:18:57 Microsoft Wi-Fi Direct Virtual Adapter #2 Type: 9
2024/6/20 20:19:43 Adapter type detect starting
2024/6/20 20:19:43 VPN Client Adapter - VPN Type: 0
2024/6/20 20:19:43 Intel(R) Wi-Fi 6 AX201 160MHz Type: 9
2024/6/20 20:19:43 Bluetooth Device (Personal Area Network) Type: 10
2024/6/20 20:19:43 Microsoft Wi-Fi Direct Virtual Adapter Type: 9
2024/6/20 20:19:43 Microsoft Wi-Fi Direct Virtual Adapter #2 Type: 9
2024/6/20 20:21:03 Adapter type detect starting
2024/6/20 20:21:03 VPN Client Adapter - VPN Type: 0
2024/6/20 20:21:03 Intel(R) Wi-Fi 6 AX201 160MHz Type: 9
2024/6/20 20:21:03 Bluetooth Device (Personal Area Network) Type: 10
2024/6/20 20:21:03 Microsoft Wi-Fi Direct Virtual Adapter Type: 9
2024/6/20 20:21:03 Microsoft Wi-Fi Direct Virtual Adapter #2 Type: 9
2024/6/20 20:23:59 Adapter type detect starting
2024/6/20 20:23:59 VPN Client Adapter - VPN Type: 0
2024/6/20 20:23:59 Intel(R) Wi-Fi 6 AX201 160MHz Type: 9
2024/6/20 20:23:59 Bluetooth Device (Personal Area Network) Type: 10
2024/6/20 20:24:00 Microsoft Wi-Fi Direct Virtual Adapter Type: 9
2024/6/20 20:24:00 Microsoft Wi-Fi Direct Virtual Adapter #2 Type: 9
Helper Log
==========
Do any guys know how to solve it? Did I forget some configurations?