In part 1, I explained how ClearPass Social Login using OAUTH works in depth. In this part, I will explain how to configure it based on Azure AD. In brief, you need to configure
- Azure: To register an app (Get Client ID / Secret)
- ClearPass: To configure a web login page with Social Login + Service to handle the guest authentication
- Controller: To assign devices initial role with captive portal page pointing to ClearPass + a role after successfully authenticating
Let’s start with Azure configuration first.
Azure Configuration
Step 1: Login to Azure Portal and search for App registration. Register an app and provide the Redirect URI to point to ClearPass Guest page (to be created on ClearPass)
Step 2: Select Certificates & Secrets and then create a new Client Secret. Specify the validity as you see appropriate.
Step 3: Copy the secret key that is provided and save it in a secure manner (the one shown below is already deleted)
Step 4: Copy the client ID for this application from the overview tab.
Step 5: Now the only remaining part is provide the app the needed permissions. Navigate to API permissions, select Microsoft Graph and add Directory: Read All
Steps 6: Grant the app the permission to read directory data (Grant admin consent)
The above concludes the config needed on Azure side. Let’s configure ClearPass side now.
ClearPass Configuration
Step 1: Create a Guest Web Login Page, Add Social Login Option and select Microsoft Azure AD. Make sure to specify the post back address to point to the certificate common name that is installed on your controllers.
Step 2: Specify the client ID and client secret based on the values you obtained while setting Azure App (Steps 3 and 4 in Azure configuration section)
Step 3: Enable Group membership fetching if needed in your workflow
Step 4: Configure a Service using the Guest Template (Cloud Identity/Social Media Authentication)
At the below screen, keep the default values for now. In the next step, we will change them to azure.
Step 5: Change the social login provider in the created policy to azure. Remove the other conditions that are not used.
This completes the configuration from ClearPass side. Just make sure Clearpass has internet access via https to reach Azure graph APIs.
Now let’s check the controller configuration.
Controller Configuration
Controller needs to be configured with an initial role that is linked to a Captive portal profile which redirects traffic to ClearPass. The minimal needed policies for this role are listed below.
Below is a sample configuration for this role.
netdestination microsoft_whitelist
name *.microsoft.com
name *.microsoftonline.com
name login.microsoftonline.com
name *.aadcdn.microsoftonline-p.com
name login.live.com
name mbs.microsoft.com
name go.microsoft.com
name login.microsoftonline-p.com
name secure.aadcdn.microsoftonline-p.com
name urs.microsoft.com
name auth.gfx.ms
name dynamicscrmemea.accesscontrol.windows.net
name sc.imp.live.com
name *.windows.net
name *.passport.net
name *.crm4.dynamics.com
name home.dynamics.com
name cloudredirectoreur.cloudapp.net
name cloudredirectoreursec.cloudapp.net
name *.azureedge.net
name www.crmdynint.com
name graph.windows.net
name aadcdn.msauth.net
!
netdestination clearpass_cp
name
host
!
netdestination allowed_dns_servers
host 8.8.8.8
!
ip access-list session restricted_dhcp
user any udp 68 deny
any any svc-dhcp permit
!
ip access-list session restricted_dns
any alias allowed_dns_servers svc-dns permit
!
ip access-list session custom-logon-control
any network 169.254.0.0 255.255.0.0 any deny
any network 240.0.0.0 240.0.0.0 any deny
!
aaa authentication captive-portal "PGUEST_cp_prof"
server-group ""
redirect-pause 3
no logout-popup-window
login-page ""
no enable-welcome-page
white-list "clearpass_cp"
white-list "microsoft_whitelist"
redirect-url "https://www.arubanetworks.com"
!
user-role p-guest-logon
captive-portal "PGUEST_cp_prof"
access-list session global-sacl
access-list session restricted_dhcp
access-list session restricted_dns
access-list session apprf-p-guest-logon-sacl
access-list session custom-logon-control
access-list session captiveportal
!Make sure to associate this initial role to the AAA profile associated with the VAP. This is a simplified configuration for the controller.
I hope this is useful. Feel free to share your comments and feedback. If you are interested to check other ClearPass Tiny Bites, click here.