In part 1, I explained how ClearPass Social Login using OAUTH works in depth. In this part, I will explain how to configure it based on Azure AD. In brief, you need to configure
- Azure: To register an app (Get Client ID / Secret)
- ClearPass: To configure a web login page with Social Login + Service to handle the guest authentication
- Controller: To assign devices initial role with captive portal page pointing to ClearPass + a role after successfully authenticating
Let’s start with Azure configuration first.
Azure Configuration
Step 1: Login to Azure Portal and search for App registration. Register an app and provide the Redirect URI to point to ClearPass Guest page (to be created on ClearPass)
Step 2: Select Certificates & Secrets and then create a new Client Secret. Specify the validity as you see appropriate.
Step 3: Copy the secret key that is provided and save it in a secure manner (the one shown below is already deleted)
Step 4: Copy the client ID for this application from the overview tab.
Step 5: Now the only remaining part is provide the app the needed permissions. Navigate to API permissions, select Microsoft Graph and add Directory: Read All
Steps 6: Grant the app the permission to read directory data (Grant admin consent)
The above concludes the config needed on Azure side. Let’s configure ClearPass side now.
ClearPass Configuration
Step 1: Create a Guest Web Login Page, Add Social Login Option and select Microsoft Azure AD. Make sure to specify the post back address to point to the certificate common name that is installed on your controllers.
Step 2: Specify the client ID and client secret based on the values you obtained while setting Azure App (Steps 3 and 4 in Azure configuration section)
Step 3: Enable Group membership fetching if needed in your workflow
Step 4: Configure a Service using the Guest Template (Cloud Identity/Social Media Authentication)
At the below screen, keep the default values for now. In the next step, we will change them to azure.
Step 5: Change the social login provider in the created policy to azure. Remove the other conditions that are not used.
This completes the configuration from ClearPass side. Just make sure Clearpass has internet access via https to reach Azure graph APIs.
Now let’s check the controller configuration.
Controller Configuration
Controller needs to be configured with an initial role that is linked to a Captive portal profile which redirects traffic to ClearPass. The minimal needed policies for this role are listed below.
Below is a sample configuration for this role.
netdestination microsoft_whitelist
name *.microsoft.com
name *.microsoftonline.com
name login.microsoftonline.com
name *.aadcdn.microsoftonline-p.com
name login.live.com
name mbs.microsoft.com
name go.microsoft.com
name login.microsoftonline-p.com
name secure.aadcdn.microsoftonline-p.com
name urs.microsoft.com
name auth.gfx.ms
name dynamicscrmemea.accesscontrol.windows.net
name sc.imp.live.com
name *.windows.net
name *.passport.net
name *.crm4.dynamics.com
name home.dynamics.com
name cloudredirectoreur.cloudapp.net
name cloudredirectoreursec.cloudapp.net
name *.azureedge.net
name www.crmdynint.com
name graph.windows.net
name aadcdn.msauth.net
!
netdestination clearpass_cp
name
host
!
netdestination allowed_dns_servers
host 8.8.8.8
!
ip access-list session restricted_dhcp
user any udp 68 deny
any any svc-dhcp permit
!
ip access-list session restricted_dns
any alias allowed_dns_servers svc-dns permit
!
ip access-list session custom-logon-control
any network 169.254.0.0 255.255.0.0 any deny
any network 240.0.0.0 240.0.0.0 any deny
!
aaa authentication captive-portal "PGUEST_cp_prof"
server-group ""
redirect-pause 3
no logout-popup-window
login-page ""
no enable-welcome-page
white-list "clearpass_cp"
white-list "microsoft_whitelist"
redirect-url "https://www.arubanetworks.com"
!
user-role p-guest-logon
captive-portal "PGUEST_cp_prof"
access-list session global-sacl
access-list session restricted_dhcp
access-list session restricted_dns
access-list session apprf-p-guest-logon-sacl
access-list session custom-logon-control
access-list session captiveportal
!Make sure to associate this initial role to the AAA profile associated with the VAP. This is a simplified configuration for the controller.
I hope this is useful. Feel free to share your comments and feedback. If you are interested to check other ClearPass Tiny Bites, click here.
Hi Ayman
I refer to part2 configuration, there is an error.
“The reply URL specified in the request does not match the reply URLs configured”
Is the url of step 2 of the part2 clearpass configuration rigth?
wait for your reply,
Thanks
Hi,
The URL needs to be changed to reflect your ClearPass installation… This was the URL used in my demo environment, you need to change it based on your ClearPass setup.
For some reason following these instructions when I launch the web portal I get an error and no Azure sign in option. Any ideas what I’m missing? The error is “Required field unavailable”.
Thanks
How are you testing? You were connected to WiFi and testing or are you manually trying to open the URL?
Launching it from the Clearpass config page. From configuration->Web Logins->Launch button.
Hi Ryan,
It will not work as such as the Aruba controllers will append the mac-address field in the redirection URL. This is missing when you launch it directly..
In your case, you need to append to your url and add ?mac=00:00:00:00:00:00 if you want to simulate it directly without being connected to Aruba controllers..
i got the blank page after redirect to login.microsoft.com
Hi Sandi,
So the Microsoft login page was loaded? If not, did you add the whitelist entries?
Can you share a screenshot?
I’m having a similar issue as Sandi here is a screen shot of what I get after I click on the Azure login icon.
https://imgur.com/a/ZKZhC4E. I did verify that the network can get to the azure portal. I’m also using an IAP cluster vs a controller but I did whitelist all the same urls and IP addresses. Any help would be appreciated.
Hi Ryan,
Are you sure you put the right ClearPass URL?