ClearPass SSO with Azure AD - Setup SSO

ClearPass SSO with Azure AD

Reading Time: 7 minutes

In this post, I show how to configure ClearPass SSO with Azure AD. I use SSO (single sign-on) to authenticate operators, using ClearPass. To use SSO for users to authenticate against the network and onboard new devices, for example, will be a later post.

What and Why?

So what is SSO or single sign-on? Actually this is nothing new nor something special. Most of today’s organizations use some kind of single sing-on. And if your organization does, it totally makes sense to integrate ClearPass into the SSO system.

A SSO system allows the user to sign-on once and use all the applications and/or websites without reauthenticate again. If you like to access an application, the authentication is done in the background and you have a seamless and uninterrupted workflow.

You can have your own SSO system or you can use one of the cloud-based systems like Azure or Google Apps, just to name the two of them. Even ClearPass itself can be a SSO system.

So why should I use such a system? The answer might not be the obvious one but it could make your system more secure. And here is the reason. First, the application or web page will never see your credentials. They will only get a response from the SSO system if the user is permitted or denied.

Secondly, your users will see only one page where they need to enter their credentials. This is the SSO page. Every other page, asking for credentials should be treated as an attack. From my point of view, even someone without any IT knowledge can follow this rule.

For this post, I will use ClearPass SSO with Azure AD, which uses SAML in the background to exchange the authentication data.

I will not go into the details of SAML and assume you know what we are talking about. If not, have a look here:

https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

The Azure AD Part

Let’s start with Azure. Unfortunately, I do not have a premium subscription for Azure, so I need to work with the free version. (Maybe someone at MS can help me out 😜)

Why do I’m telling you this? If you have a premium subscription, you can build your own SSO app. With the free version, this is not possible. But you can use existing apps and reuse them for ClearPass. The following part is about this reuse thing. If you need to know, how to build your own app, have a look at the official Aruba document here:

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=33093

Search for “ClearPass_Configuration-Guide_Onboard-Cloud-Identity-Providers_v2018-01.pdf“.

To use an existing app and modify it for ClearPass read on. I assume you have a running Azure AD and you know how to work with Azure AD. To add a new app, select your directory and go to “Enterprise applications”:

ClearPass SSO with Azure AD - Enterprise Applications
ClearPass SSO with Azure AD – Enterprise Applications

Here you can hit the “New application” button and search for “KnowBe4” and select the entry:

ClearPass SSO with Azure AD - Add Application
ClearPass SSO with Azure AD – Add Application

Add a name for the app and click the “Add” button. Then wait for Azure to finish the task.

After the app is available your browser will be redirected to the app page. From there navigate to “Single sign-on”:

ClearPass SSO with Azure AD - Setup SSO
ClearPass SSO with Azure AD – Setup SSO

Now, you need to modify or add the configuration. The first part is “Basic SAML Configuration”. Here you need to insert the entries from the screenshot above. The “Identifier (Entity ID)” should look like this:

https://<clearpass-fqdn>/networkservices/saml2/sp

The “Reply URL (Assertion Consumer Service URL)” like this:

https://<clearpass-fqdn>/networkservices/saml2/sp/acs

For the “Sign on URL”, I use the ClearPass FQDN as well, without anything behind it. The reason is, that the request might come from different pages like the policy manager login page or the Insight login page. Depending on which service is enabled for SSO.

Afterward, you can change or add “User Attributes & Claims”. For my setup, I added the “Group” claim. This allows later to differentiate between users who access ClearPass and give them different Access levels.

The very last step is to download the “Certificate (Base64)”. We need this for ClearPass. You also need to copy the “Login URL” for this application:

ClearPass SSO with Azure AD - Login URL from Azure
ClearPass SSO with Azure AD – Login URL from Azure

You can now assign users or groups to this application by going to “Users and groups”. This is very self-explanatory.

ClearPass SSO with Azure AD

Now we head over to ClearPass. The first step is to import the downloaded certificate into the ClearPass “Trust List”. To do so, go to “Administration–>Certificates–>Trust List” and use the “Add” Button:

ClearPass SSO with Azure AD - Add Certificate to ClearPass
ClearPass SSO with Azure AD – Add Certificate to ClearPass

This adds a new self-signed certificate to your “Trust List”. The “Subject DN” of this cert is:

CN=Microsoft Azure Federated SSO Certificate

This certificate is used by Azure to sign the answer from Azure. So ClearPass can be sure, that the answer is correct and from a trusted source.

The next step is to enable SSO for ClearPass. Go to “Configuration–>Identity–>Single Sign-On (SSO)”:

ClearPass SSO with Azure AD - Enable SSO for Guest and Onboard
ClearPass SSO with Azure AD – Enable SSO for Guest and Onboard

Here you need to make some changes. The above is already the finished picture. First, enter the “Identity Provider (IdP) URL”. This is the “Login URL” from the Azure part above. For a first try, I would enable SSO just for one application within ClearPass. I started with the guest and onboard part. You can also try with a different app. But then, all the following descriptions need tp adapt.

In the “Identity Provider (IdP) Certificate” section you select the imported certificate from Azure. without the correct certificate, the authentication will fail.

The last step is to save the configuration. You now have a basic ClearPass SSO config.

During the config of Azure, I added the group claim. Unfortunately, this attribute is not known by ClearPass. So you need to add this to the application dictionary. If you do not need to assign different roles to users, based on Azure groups you can skip this step.

If you need different roles, read ahead. Go to “Administration–>Dictionaries–>Applications” and select the “SSO” dictionary. You can export the dictionary with a click of the “Export” button in the lower part of the new window.

Add the following line to the file:

<ApplDictionaryAttributes attrType="String" attrName="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"/>

Save the file and import the file again. The “SSO” dictionary should look like this:

ClearPass SSO with Azure AD - SSO Dictionary
ClearPass SSO with Azure AD – SSO Dictionary

Create SSO Services

The last part is to create a service to use the data from Azure for authentication. I will not go through every step, as I assume you know how to create Services, Role Mappings, Roles, Enforcement Profiles and Enforcement Policies in ClearPass.

Below is the Service to authenticate guest and onboard operators:

ClearPass SSO with Azure AD - ClearPass Service for Guest and Onboard Operators Service Tab
ClearPass SSO with Azure AD – ClearPass Service for Guest and Onboard Operators Service Tab

The “Type” of the service is “Aruba Application Authorization”. “Service Rules” are very simple. I use the “Application” “Name”, in this case, “GuestOperators”, and “Authentication” “Type” is “SSO”. Both conditions must be true in order to use this service.

ClearPass SSO with Azure AD - ClearPass Service for Guest and Onboard Operators Roles Tab
ClearPass SSO with Azure AD – ClearPass Service for Guest and Onboard Operators Roles Tab

To make my life easier, I use a simple “Role Mapping Policy”, which converts the cryptic Azure roles (you will only get the “Object Id” from Azure) into roles on ClearPass. This is something you can do and I recommend it to do, not only in this case, but it is completely up to you.

ClearPass SSO with Azure AD - ClearPass Service for Guest and Onboard Operators Enforcement Tab
ClearPass SSO with Azure AD – ClearPass Service for Guest and Onboard Operators Enforcement Tab

The “Enforcement” is very simple as well. At the moment, it is just me using ClearPass, so I simply enforce the “Super Administrator”. If you need more granular profiles, like profiles for receptionists or sponsors or whatever you need, just add more conditions to your enforcement policy.

As the enforcement profile and the enforcement policy looks different than for normal TACACS+ authentication, as described here, I will show my profile and policy in detail.

First, the enforcement profile:

ClearPass SSO with Azure AD - Enforcement Profile
ClearPass SSO with Azure AD – Enforcement Profile

The profile is from “Type” “Application” and you return the “Super Administrator” role as a “SSO-Role”.

ClearPass SSO with Azure AD - Enforcement Policy
ClearPass SSO with Azure AD – Enforcement Policy

The policy is as well an “Application” “Enforcement Type”. The conditions are configured the same way as for all other policies. BTW: don’t blame me for using the “TACACS Super Admin” role within ClearPass. I just reuse what is already there. For your system, you should create your own roles instead of using the default ones.

After everything is ready you can try to login to the guest application. You should be redirected to the Azure login page to provide your Azure AD credentials. Afterward, you should be authenticated within the guest application.

The policy manager “Access Tracker” should have an entry for you like this:

ClearPass SSO with Azure AD - Access Tracker Summary
ClearPass SSO with Azure AD – Access Tracker Summary

Nothing special here, but have a look at the next tab:

ClearPass SSO with Azure AD - Access Tracker Input
ClearPass SSO with Azure AD – Access Tracker Input

You see all the attributes coming from Azure.

You might now start to enable SSO for other application parts in ClearPass like Insight or the Policy Manager itself. I have all of the applications in ClearPass SSO enabled.

If you find this post useful, leave me a comment and share it with your friends. If you don’t like the post, leave me a comment and tell me what you don’t like. But whatever you do, leave me a comment.

8 thoughts on “ClearPass SSO with Azure AD”

  1. Great write up. I implemented this myself but also incorporated Azure App Proxy so I could make a guest operator page available for students to whitelist their IoT devices.

    Reply
    • Hi Ryan,

      Thanks for the comment, I really appreciate your feedback.
      You are correct, there are plenty of options with Azure and this was just some kind of introduction to show how simple it is to use something like Azure AD.

      Many thanks,
      Florian

      Reply
  2. Really like your blog! im going to test some of these out to see if this works with TACACS authentication on network devices login. I hope you keep writing in the future!

    Reply
    • Hi Bas,

      thanks for your comment. I really appreciate your word.

      To your question, unfortunately, you cannot combine Azure SSO with TACACS+. TACACS+ does need a user password combination, entered at the device login prompt. You cannot pass this to Azure.

      BR
      Florian

      Reply
  3. Thanks for this write up. Just to let you know that there is a small typo in your URLs that will lead to an AADSTS700016 error when the user tries to log in. It must be networkservices not networkservice. It is correct in the screenshot.

    Reply
    • Hi,

      thanks for the feedback. Really appreciated.
      Must have overseen the typo and corrected the typo. Thanks for letting me know.

      BR
      Florian

      Reply
  4. Hi, thanks for the great post!

    I’m trying to get this setup for our MPSK device registration. We have our 4 Clearpass servers behind our F5 load balancer and when I go to the initial site that we will be publishing on the load balancer and then log in with O365, it redirects me back to the originating Clearpass server and not to the load balanced site.

    Do you know how I could send the correct reply URL to O365? We do not want users accesing the Clearpass servers directly. Also, I had to add in all my 4 Clearpass servers on the Azure portal or else I was getting an error.

    We are currently running Clearpass 6.8.5

    Reply
    • hi,

      I saw the same. I’m running two ClearPass servers and access them via the VIP, but after authenticating, I’m always redirected to a specific IP instead of the VIP. I was not looking into this, as it still suits my needs, but let me check if I can get something on this.

      BR
      Florian

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: