In part 1, I explained how ClearPass Social Login using OAUTH works in depth. In this part, I will explain how to configure it based on Azure AD. In brief, you need to configure
- Azure: To register an app (Get Client ID / Secret)
- ClearPass: To configure a web login page with Social Login + Service to handle the guest authentication
- Controller: To assign devices initial role with captive portal page pointing to ClearPass + a role after successfully authenticating
Let’s start with Azure configuration first.
Step 1: Login to Azure Portal and search for App registration. Register an app and provide the Redirect URI to point to ClearPass Guest page (to be created on ClearPass)
Step 2: Select Certificates & Secrets and then create a new Client Secret. Specify the validity as you see appropriate.
Step 3: Copy the secret key that is provided and save it in a secure manner (the one shown below is already deleted)
Step 4: Copy the client ID for this application from the overview tab.
Step 5: Now the only remaining part is provide the app the needed permissions. Navigate to API permissions, select Microsoft Graph and add Directory: Read All
Steps 6: Grant the app the permission to read directory data (Grant admin consent)
The above concludes the config needed on Azure side. Let’s configure ClearPass side now.
Step 1: Create a Guest Web Login Page, Add Social Login Option and select Microsoft Azure AD. Make sure to specify the post back address to point to the certificate common name that is installed on your controllers.
Step 2: Specify the client ID and client secret based on the values you obtained while setting Azure App (Steps 3 and 4 in Azure configuration section)
Step 3: Enable Group membership fetching if needed in your workflow
Step 4: Configure a Service using the Guest Template (Cloud Identity/Social Media Authentication)
At the below screen, keep the default values for now. In the next step, we will change them to azure.
Step 5: Change the social login provider in the created policy to azure. Remove the other conditions that are not used.
This completes the configuration from ClearPass side. Just make sure Clearpass has internet access via https to reach Azure graph APIs.
Now let’s check the controller configuration.
Controller needs to be configured with an initial role that is linked to a Captive portal profile which redirects traffic to ClearPass. The minimal needed policies for this role are listed below.
Below is a sample configuration for this role.
netdestination microsoft_whitelist name *.microsoft.com name *.microsoftonline.com name login.microsoftonline.com name *.aadcdn.microsoftonline-p.com name login.live.com name mbs.microsoft.com name go.microsoft.com name login.microsoftonline-p.com name secure.aadcdn.microsoftonline-p.com name urs.microsoft.com name auth.gfx.ms name dynamicscrmemea.accesscontrol.windows.net name sc.imp.live.com name *.windows.net name *.passport.net name *.crm4.dynamics.com name home.dynamics.com name cloudredirectoreur.cloudapp.net name cloudredirectoreursec.cloudapp.net name *.azureedge.net name www.crmdynint.com name graph.windows.net name aadcdn.msauth.net ! netdestination clearpass_cp name host ! netdestination allowed_dns_servers host 220.127.116.11 ! ip access-list session restricted_dhcp user any udp 68 deny any any svc-dhcp permit ! ip access-list session restricted_dns any alias allowed_dns_servers svc-dns permit ! ip access-list session custom-logon-control any network 169.254.0.0 255.255.0.0 any deny any network 240.0.0.0 240.0.0.0 any deny ! aaa authentication captive-portal "PGUEST_cp_prof" server-group "" redirect-pause 3 no logout-popup-window login-page "" no enable-welcome-page white-list "clearpass_cp" white-list "microsoft_whitelist" redirect-url "https://www.arubanetworks.com" ! user-role p-guest-logon captive-portal "PGUEST_cp_prof" access-list session global-sacl access-list session restricted_dhcp access-list session restricted_dns access-list session apprf-p-guest-logon-sacl access-list session custom-logon-control access-list session captiveportal !
Make sure to associate this initial role to the AAA profile associated with the VAP. This is a simplified configuration for the controller.
I hope this is useful. Feel free to share your comments and feedback. If you are interested to check other ClearPass Tiny Bites, click here.