After a few weeks of frustration and limited documentation, I was able to log into an SSID using Enterprise WPA2 with a certificate issued by Aruba ClearPass logging in with only Okta. This shouldn't be as complicated or daunting as it was.
I make no guarantees that this will work correctly as software is an ever moving target, I can only attest that this worked when this blog post was published. I may have missed a couple things, but this should further your progress.
First, Okta + ClearPass integration
Starting with Aruba ClearPass 6.10, native Okta integration has been removed in favor of a generic SAML integration.
Okta
Single Sign On URL: https://<clearpass server>/networkservices/saml2/sp/acs
Recipient URL: https://<clearpass server>/networkservices/saml2/sp/acs
Destination URL: https://<clearpass server>/networkservices/saml2/sp/acs
Audience Restriction: https://<clearpass server>/networkservices/saml2/sp/acs
Application username format: Okta username
Download the X.509 certificate, it will be used later
Clearpass
Policy Manager > Administration > Certificates > Trust List
➕ Add
Certificate File > [ Choose the X.509 certificate saved earlier ]
Usage > SAML
Usage > Others
Add Certificate
Policy Manager > Configuration > Identity > Single Sign-On (SSO)
SAML SP Configuration
Identity Provider (IdP) URL: <provided by Okta as Identity Provider Single Sign-On URL>
Enable SSO for: ☑ Onboard; others aren't required but depends on your needs and outside the scope of this post.
Identity Provider (IdP) Signing Certificate
Select the Okta SAML certificate
Second, ClearPass changes required
In order to get the certificates to properly authenticate against ClearPass, a couple changes are required.
Policy Manager > Configuration > Authentication > Methods
[EAP TLS With CN Check]
Copy
Cancel out, open "Copy of [EAP TLS With CN Check]"
- Rename "Copy of [EAP TLS With CN Check]" to something significant like "Company Name [EAP TLS]", you'll use this later
- Uncheck Authorization Required: Enable -- This function does a username/password check against your service which likely isn't defined as you're using Okta as your IdP and nothing locally is stored for the user
HTTPS certificate
Add your HTTPS certificate, this is a requirement for authenticating macOS clients newer than Lion 10.7. It may make sense to add signing capabilities to this, to allow Android devices to authenticate to RADIUS.
Policy Manager > Administration > Certificates > Certificate Store > Import Certificate > Server > Usage HTTPS(RSA)
As our certificate provider only provided the certificates in CRT format, I converted it to PKCS#12 to more easily import with the key. Note, you should have a key passphrase otherwise ClearPass will choke, even with unencrypted keys.
openssl pkcs12 -inkey cppm.key -in cppm.crt -export -out cppm.pfx
This imported without issue after adding the intermediate certificate and enabling it (and its root) under
Administration > Trust List.
With ClearPass 6.10, support for ECC keys was added. If you are only using RSA keys, you may have to disable the ECC key.
Server Certificates > Select Usage > HTTPS(ECC) Server Certificate > Disable
You should now be able to use Okta to log into ClearPass Onboard using the Okta chiclet. It'll just drop you to the onboard administrative portal, nothing more. I'll update this post later once I determine how to drop the user into the onboarding portal itself. Feel free to hide the Okta chiclet if this situation isn't ideal, it has no bearing on the functionality of the onboarding portal as you'll see later.
Lastly, ClearPass + Mist integration
ClearPass
Network Profile
Onboard > Onboard > Configuration > Network Settings
Create new network
Name: Okta WiFi (or whatever)
Network Type: Both — Wired and Wireless -- This allows us to use this profile for wired 802.1x authentication as well
Security Version: WPA2 with AES
SSID: Whatever You Want
-> Next
Enable TTLS and PEAP, others aren't required, but shouldn't hurt to leave enabled
Inner Identity: MSCHAPv2
-> Next
iOS & macOS Authentication
Credentials: Certificate
💾 Save Changes
Configuration Profiles
Onboard > Onboard > Deployment and Provisioning > Configuration Profiles
Create new configuration profile
Name: IT Onboarding (or whatever)
Networks: Select your network, uncheck Example Network
💾 Save Changes
Provisioning Settings
Onboard > Onboard > Deployment and Provisioning > Provisioning Settings
Create new provisioning settings
Name: <Company Name> Onboard
Organization: <Company Name> IT
Identity
Certificate Authority: Local Certificate Authority
Signer: Onboard Certificate Authority
TLS Certificate Authority: Local Certificate Authority
Key Type: 2048-bit RSA - created by device
Unique Device Credentials: [X]
Authorization
Authorization Method: App Authentication — check using Aruba Application Authentication
Use SSO: [X]
Configuration Profile: IT Onboarding (or whatever you named it)
Maximum Devices: 0 will allow users to provision unlimited devices
> Next
Adjust settings appropriately for your organization, if necessary.
> Next
Page Name: device_provisioning_2 (name this something easy)
> Next
> Next
Apple Profiles
Display Name: [This should be a friendly name that won't scare users]
Profile Description: "This provisioning profile will allow you to connect to the wifi and wired networks at [Company name]"
Profile Signing:
Certificate Source: Generate using the Onboard CA [This should be fine, it'll install the root certificate in the profile, but you can use another source.]
Common Name: "Device Enrollment (Profile Signing)" [This should be fine, only your IT department would really see this.]
> Next
Onboard Client
Code-Signing Certificate: [This is where you can select your certificate from earlier, "None" may break Android enrollment.]
Provisioning Address: [Use your IP unless you're certain your DNS is functional]
Validate Certificate: Yes
Logo Image: [You can upload a PNG or JPG under Content Manager]
> Next
💾 Save Changes
Now to allow Mist to authenticate against ClearPass
Devices
Policy Manager > Configuration > Network > Devices
Add
Name: [Office name] [VLAN name]
Subnet address: 10.10.10.0/24 [Or wherever your APs live within your network]
RADIUS Shared Secret: [This should be noted as you'll be using this in Mist's portal]
Vendor Name: Cisco [They use some of Cisco's attributes]
Save
Services
Policy Manager > Configuration > Services
Add
Name: mist wireless
Type: 802.1X Wireless
Monitor Mode: Disabled
More Options: -
Service Rules
Match ALL of the following conditions:
1. Radius:IETF NAS-Port-Type EQUALS Wireless-802.11 (19)
2. Radius:IETF Service-Type BELONGS_TO Login-User (1), Framed-User (2), Authenticate-Only (8)
3. Connection SSID CONTAINS [your SSID]
Authentication Methods
1. "Company Name [EAP TLS]"
2. [EAP PEAP]
3. [EAP FAST]
4. [EAP TTLS]
Authentication Sources:
1. [Onboard Devices Repository] [Local SQL DB]
2. [Local User Repository] [Local SQL DB]
Mist
Organization > Wireless > Config Templates
Create Template
Name: Whatever you want
WLANs: Add WLAN
SSID: [Name used in the Network Settings page of ClearPass, this should match]
Security: WPA-3/EAP (802.1x)(+WPA-2)
RADIUS Authentication Servers:
Add Server
Hostname: [IP address of your ClearPass server]
Shared Secret: [RADIUS Shared Secret from the last step in ClearPass]
✔
RADIUS Accounting Servers
☑ Enable Interim Accounting
Add Server
Hostname: [IP address of your ClearPass server]
Shared Secret: [RADIUS Shared Secret from the last step in ClearPass]
NAS Identifier: mist-[ssid]-{{DEVICE_NAME}--{{SITE_NAME}}
VLAN: Untagged
Save
Done, now onboard and test
Onboard your device (using Safari, it's easier due to Apple being Apple) at:
https://[clearpass hostname]/onboard/device_provisioning_2.php
[device_provisioning_2 should be what you named it earlier, if you chose a different name]
This should push you through the Okta authentication flow and kick you straight to the certificate download, then profile download. Install the certificate and profile (System Preferences > Profiles) and it should connect you to your new wireless network. If a dialog asks for a username and password, just leave blank.
You can validate your authentication was successful in Policy Manager
Policy Manager > Monitoring > Live Monitoring > Access Tracker
This should show your Okta username with ACCEPT.
Click the request, input, it should also show you the certificate under "Computed Attributes"
Hopefully this walkthrough helped. As of early May 2022, this post was accurate.
No comments:
Post a Comment