ClearPass Tiny Bite 8 – Clearpass Guest Social Login With Azure AD (Part 2)

In part 1, I explained how ClearPass Social Login using OAUTH works in depth. In this part, I will explain how to configure it based on Azure AD. In brief, you need to configure

  • Azure: To register an app (Get Client ID / Secret)
  • ClearPass: To configure a web login page with Social Login + Service to handle the guest authentication
  • Controller: To assign devices initial role with captive portal page pointing to ClearPass + a role after successfully authenticating

Let’s start with Azure configuration first.

Azure Configuration

Step 1: Login to Azure Portal and search for App registration. Register an app and provide the Redirect URI to point to ClearPass Guest page (to be created on ClearPass)

Step 2: Select Certificates & Secrets and then create a new Client Secret. Specify the validity as you see appropriate.

Step 3: Copy the secret key that is provided and save it in a secure manner (the one shown below is already deleted)

Step 4: Copy the client ID for this application from the overview tab.

Step 5: Now the only remaining part is provide the app the needed permissions. Navigate to API permissions, select Microsoft Graph and add Directory: Read All

Steps 6: Grant the app the permission to read directory data (Grant admin consent)

The above concludes the config needed on Azure side. Let’s configure ClearPass side now.

ClearPass Configuration

Step 1: Create a Guest Web Login Page, Add Social Login Option and select Microsoft Azure AD. Make sure to specify the post back address to point to the certificate common name that is installed on your controllers.

Step 2: Specify the client ID and client secret based on the values you obtained while setting Azure App (Steps 3 and 4 in Azure configuration section)

Step 3: Enable Group membership fetching if needed in your workflow

Step 4: Configure a Service using the Guest Template (Cloud Identity/Social Media Authentication)

At the below screen, keep the default values for now. In the next step, we will change them to azure.

Step 5: Change the social login provider in the created policy to azure. Remove the other conditions that are not used.

This completes the configuration from ClearPass side. Just make sure Clearpass has internet access via https to reach Azure graph APIs.

Now let’s check the controller configuration.

Controller Configuration

Controller needs to be configured with an initial role that is linked to a Captive portal profile which redirects traffic to ClearPass. The minimal needed policies for this role are listed below.

Below is a sample configuration for this role.

netdestination microsoft_whitelist
     name *.microsoft.com
     name *.microsoftonline.com
     name login.microsoftonline.com
     name *.aadcdn.microsoftonline-p.com
     name login.live.com
     name mbs.microsoft.com
     name go.microsoft.com
     name login.microsoftonline-p.com
     name secure.aadcdn.microsoftonline-p.com
     name urs.microsoft.com
     name auth.gfx.ms
     name dynamicscrmemea.accesscontrol.windows.net 
     name sc.imp.live.com
     name *.windows.net
     name *.passport.net
     name *.crm4.dynamics.com
     name home.dynamics.com
     name cloudredirectoreur.cloudapp.net
     name cloudredirectoreursec.cloudapp.net
     name *.azureedge.net
     name www.crmdynint.com
     name graph.windows.net
     name aadcdn.msauth.net
 !
 netdestination clearpass_cp
     name 
     host 
 !
 netdestination allowed_dns_servers
     host 8.8.8.8
 !
 ip access-list session restricted_dhcp
     user any udp 68 deny 
     any any svc-dhcp permit 
 !
 ip access-list session restricted_dns
     any alias allowed_dns_servers svc-dns permit 
 !
 ip access-list session custom-logon-control
     any network 169.254.0.0 255.255.0.0 any deny 
     any network 240.0.0.0 240.0.0.0 any deny 
 !
 aaa authentication captive-portal "PGUEST_cp_prof"
     server-group ""
     redirect-pause 3
     no logout-popup-window
     login-page ""
     no enable-welcome-page
     white-list "clearpass_cp"
     white-list "microsoft_whitelist"
     redirect-url "https://www.arubanetworks.com"
 !
 user-role p-guest-logon
     captive-portal "PGUEST_cp_prof"
     access-list session global-sacl
     access-list session restricted_dhcp
     access-list session restricted_dns
     access-list session apprf-p-guest-logon-sacl
     access-list session custom-logon-control
     access-list session captiveportal
 !

Make sure to associate this initial role to the AAA profile associated with the VAP. This is a simplified configuration for the controller.

I hope this is useful. Feel free to share your comments and feedback. If you are interested to check other ClearPass Tiny Bites, click here.

Leave a Reply