How to social login with Aruba controller. Bo Nielsen, CCIE #53075 (Sec) December 2016, V1.00

Similar documents
TECHNICAL NOTE MSM & CLEARPASS HOW TO CONFIGURE HPE MSM CONTROLLERS WITH ARUBA CLEARPASS VERSION 3, JUNE 2016

Aruba Mobility. Setup Guide

Language Customization ArubaOS Captive Portal

Cloudpath and Aruba Instant Integration

Configure Guest Flow with ISE 2.0 and Aruba WLC

Identity Services Engine Guest Portal Local Web Authentication Configuration Example

A. Post-Onboarding. the device wit be assigned the BYOQ-Provision firewall role in me Aruba Controller.

Grandstream Networks, Inc. Captive Portal Authentication via Twitter

Grandstream Networks, Inc. Captive Portal Authentication via Facebook

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Infoblox Authenticated DHCP

What Is Wireless Setup

Grandstream Networks, Inc. Captive Portal Authentication via Facebook

BEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features

CMX Connected Experiences- Social, SMS and Custom Portal Registration Configuration Example

TECHNICAL NOTE UWW & CLEARPASS HOW-TO: CONFIGURE UNIFIED WIRELESS WITH CLEARPASS. Version 2

Aruba Certified Clearpass Professional 6.5

ISE Version 1.3 Self Registered Guest Portal Configuration Example

Configuring RADIUS Clients

Aruba Central Guest Access Application

WEB ANALYTICS HOW-TO GUIDE

Wireless LAN Controller Web Authentication Configuration Example

!! Configuration of RFS4000 version R!! version 2.3!! ip access-list BROADCAST-MULTICAST-CONTROL permit tcp any any rule-precedence 10

Figure 1 - Controller-Initiated Web Login Flow

Case Study Captive Portal with QR Code authenticator assisted

How to Configure Authentication and Access Control (AAA)

Grandstream Networks, Inc. Captive Portal Authentication via Facebook

P ART 3. Configuring the Infrastructure

Troubleshooting Web Authentication on a Wireless LAN Controller (WLC)

Managing NCS User Accounts

CMX Dashboard Visitor Connect

Configuration examples for the D-Link NetDefend Firewall series DFL-260/860

Universal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

Central Web Authentication on the WLC and ISE Configuration Example

WiNG 5.8 HOTSPOT HOW-TO. RRC Poland Auto ID 2015

Pulse Policy Secure. Guest Access Solution Guide. Product Release 5.4R1

Application Example (Standalone EAP)

IT Department. Basic WIFI Troubleshooting on ACC SSID. October 2017

Creating Wireless Networks

Provide One Year Free Update!

Pulse Policy Secure. Guest Access Solution Configuration Guide. Product Release 5.2. Document Revision 1.0 Published:

Ruckus SmartZone 100 and Virtual SmartZone (Essentials)

ACMP_6.4

BYOD: BRING YOUR OWN DEVICE.

In!order!to!enable!this!functionality,!three!files!must!be!employed!on!the!webserver:!

ACCP-V6.2Q&As. Aruba Certified Clearpass Professional v6.2. Pass Aruba ACCP-V6.2 Exam with 100% Guarantee

Readme for ios 7 WebAuth on Cisco Wireless LAN Controller, Release 7.4 MR 2

Network Controller 3500 Quick Start Guide

Aruba Central. User Guide

Deployment Guide for Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.1

Cisco WLC. (For Version ) CoA Setup Guide

CounterACT Aruba ClearPass Plugin

Configure Guest Access

Encapto WiFi OVERVIEW

Working DERIVATION ROLE for DOMAIN and PERSONAL workstation without CPPM Jan14-Tutorial

ISE Version 1.3 Hotspot Configuration Example

Barracuda Firewall Release Notes 6.5.x

OmniAccess Stellar Enterprise SE Remote Demo Script

Identity Firewall. About the Identity Firewall

Vendor: Aruba. Exam Code: ACMP_6.1. Exam Name: Aruba Certified Mobility Professional 6.1. Version: Demo

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

DIGIPASS Authentication to Citrix XenDesktop with endpoint protection

D-Link Central WiFiManager Configuration Guide

Web and MAC Authentication

ISE Express Installation Guide. Secure Access How -To Guides Series

Configuring Web-Based Authentication

Configuring the EAPs Globally via Omada Controller

Highlight. Central AP Management with High Scalability

BIG-IP Access Policy Manager : Implementations. Version 12.1

Ruckus SmartCell Gateway. Setup Guide. Published April Version 1.0

WP Voting Plugin - Ohiowebtech Video Extension - Youtube Documentation

User Management: Configuring User Roles and Local Users

BIG-IP Access Policy Manager : Portal Access. Version 12.1

System requirements The minimum system requirements for a gateway with less than 10Mbps of throughput are:

The Wifidog project is an open source captive portal solution It consists of two components:

ClearPass Design Scenarios

LevelOne. AMG-2000 AP Management Gateway. User Manual. v

Instant 3.3: BYOD and Captive portal Enhancements

Guest Management. Overview CHAPTER

Juniper Networks Access Control Release Notes

Network Configuration Example

MSC-5100 Promotional Bundle Quickstart

DualFence. Implementation Guide. Copyright 2013 Deepnet Security Limited. Copyright 2013, Deepnet Security. All Rights Reserved.

BIG-IP Access Policy Manager : Secure Web Gateway. Version 12.1

Managing WCS User Accounts

ActivIdentity 4TRESS AAA Web Tokens and F5 BIG-IP Access Policy Manager. Integration Handbook

Integrating Meraki Networks with

ISE with Static Redirect for Isolated Guest Networks Configuration Example

NIELSEN API PORTAL USER REGISTRATION GUIDE

Latest IT Exam Questions & Answers

Connecting CoovaAP 1.x with RADIUSdesk - Basic

Testkings.ACMP_ questions. Aruba ACMP_6.3. Aruba Certified Mobility Professional 6.3

Guest Access User Interface Reference

Connect-2-Everything SAML SSO (client documentation)

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication

Configuring Web-Based Authentication

BIG-IP Access Policy Manager (APM) v11.2 Table of Contents

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Managing WCS User Accounts

Hacom pfsense Deployment Guide

Transcription:

Bo Nielsen, CCIE #53075 (Sec) December 2016, V1.00

Overview This short document describes the basic setup for social login using Aruba ClearPass and Aruba wireless LAN controller. Aruba ClearPass, version 6.6.2.86786 Aruba wireless LAN controller 7005, version 6.4.4.8 The Aruba ClearPass (CP) offers guest login with or without MAC caching and self-provisioning were the end user is allow to create a guest account with a time limit. Another solution is to offer guest access using a social login. This is how it goes: 1. The user connects to an open wireless network. 2. The initial role on the Aruba wireless controller is set to use captive portal and the settings for this captive portal points to an URL. This URL uses a dedicated web page on the CP. 3. The web page on the CP is configured to use social login. 4. The webpage can also use guest accounts on the CP or users from an external database like Windows AD (option). 5. If the user clicks on the social login buttom (in this example Google+), the user is instructed to enter the username and password for the Google account. 6. The user is authenticated and the MAC address for the users endpoint is updated to status Known and some extra attributes for the google login are added. 7. The user can then use to wireless network until the session expires, then a new login from the social network is required. The easy part is the wizard for social login and guest access role. The difficult part is the Goggle API... Bo Nielsen, CCIE #53075 (Sec) Side 1

The web page for social login Login to ClearPass Guest. ClearPass Guest -> Configuration -> Pages-> Web Logins -> Create a new web login page 1. Enter a name for the web page in the Name field. 2. Enter the page name (use for captive portal configuration) in the Page Name field. 3. Enter a short decription in the Description field (option). 4. Use the default setting for Aruba wireless LAN controller. 5. Enable Set Prevent CNA in order to avoid an error from Google API saying that "This user-agent is not permitted to make OAuth authorization request to Google..." 6. Set the Pre-Auth Check to None - no extra checks will be made. Bo Nielsen, CCIE #53075 (Sec) Side 2

7. Under Social Logins, select Enable login with social network credentials. 8. Click on Add new authentication provider. 9. Select Google from the list. 10. Enter a short random number in Client ID and Client Secret (we come back to that later). 11. Click on Add. 12. Copy the text for Buttons, here {nwa_social_logins} 13. Paste the text in the Header HTML or Footer HTML (here the footer part) 14. Click the Save Changes. Next is the configuration on the Aruba wireless LAN controller. Bo Nielsen, CCIE #53075 (Sec) Side 3

Configure the Aruba controller The this example the wizard for campus WLAN is completed. We have a SSID, "Guest", and no use of MAC authentication. The first part is to create a captive portal and a new user role. This role will use captive portal and allow access to Google before the final authentication takes places. The end user must have access to Google in order to be authenticated externally. In this example I have used the role social-logon. First it is important, that the Aruba LAN controller can do DNS lookup. Configuration -> NETWORK -> IP -> IP Routes & DNS Enter the IP address(es) for DNS. The good thing is that there is already an alias for Auth-Google under: Configuration -> ADVANCED SERVICES -> Stateful Firewall -> Destination This alias is used for access to Google authentication for the initial role social-logon. Bo Nielsen, CCIE #53075 (Sec) Side 4

Create the captive portal The captive portal configuration uses the Aruba ClearPass web page, that you just created. Configuration -> SECURITY -> Authentication -> L3 Authentication Click on (+) for Captive Portal Authentication, enter a name and click Add. The essential part is to: De-select use for Logout popup window De-select Show Welcome Page Enter the full URL in Login page, here "https://clearpass.credocom.dk/guest/google.php" Click on Apply. Remember to select the RADIUS server group under Server Group for captive portal setting. If no RADIUS server group can be selected, you have to create a RADIUS under: Configuration -> SECURITY -> Servers Bo Nielsen, CCIE #53075 (Sec) Side 5

Create the init role for social logon Configuration -> SECURITY -> Access Control -> User Roles -> Add Enter name for the user role, here social-logon. Select the captive portal under Captive Portal Profile. Add 4x access rules for this role (social-logon): HTTP and HTTPS access to the Aruba ClearPass server Access to Google, the default alias under stateful firewall destination Logon-control for DHCP and DNS Captiveportal (must be the last rule) Next you have to modify the AAA profile to use this user role for initial access. Bo Nielsen, CCIE #53075 (Sec) Side 6

Modify the AAA profile The final step on the Aruba wireless LAN controller is to use the newly created role for initial access. Configuration -> SECURITY -> Authentication -> AAA profiles Click on (+) for the guest ssid, here Guest-aaa_prof. The most part of the configuration on the authentication can be seen or verified under: 1. Select the newly created role as Initial role. 2. No use of MAC Authentication 3. Select or verify the server group name for RADIUS Accounting Server Group (option). That's it! Next step is the wizard on Aruba ClearPass for social authentication. Bo Nielsen, CCIE #53075 (Sec) Side 7

Configure the ClearPass Login to ClearPass Policy Manager. ClearPass Policy Manager -> Configuration -> Start Here UseGuest Social Media Authentication Enter the few parameters for the step-by-step wizard, and in this example only Google is used. The wizard creates: 1x Service 1x Enforcement policy 6x Enforcement profiles The essential part of the profiles is the session-timeout. Bo Nielsen, CCIE #53075 (Sec) Side 8

Short verification before Google API Before going on to the Google API you may verify that redirection takes place. Right, you got it! Bo Nielsen, CCIE #53075 (Sec) Side 9

Google API configuration The goal is to create a Client ID and a Client Secret using the Google API. First you must have a Google account. Start the web browser and the easiest way is to search for "Google api console". Click on Google API. Login using your own Google account. Create a project, and here I have created "MY Clearpass project". 1. Click on Credentials. 2. Click on Create credentials. Bo Nielsen, CCIE #53075 (Sec) Side 10

3. Select OAuth client ID. 4. Select Web application from the list. 5. Enter a name for the credentials. Bo Nielsen, CCIE #53075 (Sec) Side 11

6. Enter the URL for the web page that is used for captive portal. 7. Click Create. A new window pops up with the Client ID and Client secret. Copy these string values into notepad or a text editor. Save the file for later use, if required. Logout from the Google API. Bo Nielsen, CCIE #53075 (Sec) Side 12

Finally you must add the Client ID and Client secret to the web page on ClaerPass. Login to ClearPass Guest. ClearPass Guest -> Configuration -> Pages-> Web Logins Edit the web page for social login. Under Social Logins, click on Google and select Edit. Copy-and-paste the Client ID and Client Secret, click on Update. Click on Save Changes. Well done! Bo Nielsen, CCIE #53075 (Sec) Side 13

Verification using Tracker Bring a device on the wireless guest network. Redirecting should happen due to the inital role on the Aruba wireless LAN controller. Click on the Google+ button. Enter the Google credentials, and you are done. Take a look for the endpoint under Configuration -> Identity -> Endpoints Status is set to Known (if you want to use MAC authentication). Bo Nielsen, CCIE #53075 (Sec) Side 14

The attributes are also set: Note: The social_password and social_username can be use for login, but the end user have no clue about the random password here in clear text. On the Aruba wireless LAN controller the user role switch from social-logon to guest. Before logon After logon The role guest is set by the Aruba controller under the AAA profile, because the RADIUS profile on ClearPass does not return a role. You can add a user role on the Aruba wireless LAN controller when autheticated, and add the attribute Aruba-user-role to the RADIUS profile for social logon. Bo Nielsen, CCIE #53075 (Sec) Side 15

Add-on to the setup If you also wants guest access, I have used this: Add the Guest User Repository to the authentication service. Create a RADIUS profile with an Aruba role used for guest users created on ClearPass. The role must also exist on the Aruba wireless LAN controller. Finally, modify the enforcement policy from the wizard. Bo Nielsen, CCIE #53075 (Sec) Side 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback