Security

View Only

Back to discussions

Expand all | Collapse all

ClearPass Onboard + Cloud Identity Provider OKTA

This thread has been viewed 26 times

1. ClearPass Onboard + Cloud Identity Provider OKTA

Kudos
MartinVerbon
Posted Aug 12, 2021 06:03 AM

Reply Reply Privately
Hi all,

I am configuring ClearPass onboard + Cloud Identity Provider OKTA.
I followed the guide posted in the Airheads Community
But for some reason the service is not selected and I don't have any idea at this moment on how to proceed.

We make use of onboarding by using the Onboard Portal link on the Guest Portal Page.
First I configured the Onboarding using the template.
It creates 3 services in this order:
Onboard Pre-Auth
Onboard Authorization
Onboard Provisioning

Reconfigured this to work with AD, and this works great.
Connecting to a single SSID used for pre-auth using PEAP, and after provisioning with TLS.
And also in combination with the Guest Portal Page and the Onboard URL on the Guest Page.

We reconfigured as documented in the guide, the SSO under Identity. And with 2 services:
The Onboard SAML pre-authentication service with type Aruba Application Authorization, exactly as in the guide.
And the service used after onboarding for TLS.

But when testing the configuration, the new service SAML pre-authentication service with type Aruba Application Authorization is not selected.
The conditions are in there, but for some reason the SSO condition is not working in this service; ServiceClassification failed.

Any ideas why this is not working? We did everything as described in the guide.

Thanks in advance.
Best regards,
Martin Verbon

------------------------------
Martin Verbon
------------------------------
2. RE: ClearPass Onboard + Cloud Identity Provider OKTA

Kudos
MartinVerbon
Posted Aug 12, 2021 09:27 AM

Reply Reply Privately
Hi All,

Update. In the guide where the Okta configuration is described, the SSO part is missing.
After configuring this, the SSO part is now working. The Onboard Authorization Service is used.
Now only the last part, with the quick connect client, there is something going wrong. Getting again a service classification failed during quick connect.

Figuring out why....

FYI, the SSO part missing in the guide. Maybe the guide can be updated under okta.
Home » Onboard » Deployment and Provisioning » Provisioning Settings -> <name>

Let you know the outcome.
Br, Martin

------------------------------
Martin Verbon
------------------------------

Original Message
3. RE: ClearPass Onboard + Cloud Identity Provider OKTA

Kudos
MartinVerbon
Posted Aug 13, 2021 03:03 AM
Edited by MartinVerbon Aug 13, 2021 03:06 AM

Reply Reply Privately
Hi,

Hope anyone can help me with this?
I am still getting a service classification failed during the quick connect.
When starting the quick connect, I am getting a this error:

Logfile:
2021-08-12 15:32:24,397 [null] DEBUG Quick1X.QuickConnectDlg - Downloading device credentials from the Onboard server - https://xxxxx.com/onboard/mdps_qc_enroll.php
2021-08-12 15:32:24,397 [null] DEBUG Quick1X.QuickConnectDlg - Checking whether bypass proxy is false or true
2021-08-12 15:32:24,397 [null] DEBUG Quick1X.QuickConnectDlg - Bypass proxy is false
2021-08-12 15:32:24,397 [null] DEBUG Quick1X.QuickConnectDlg - Onboard server Host Name xxxxx.com
2021-08-12 15:32:24,397 [null] DEBUG Quick1X.QuickConnectDlg - Onboard server URL Path /onboard/mdps_qc_enroll.php
2021-08-12 15:32:24,397 [null] DEBUG Quick1X.QuickConnectDlg - Retrieving value of Validate-Server-Certificate option
2021-08-12 15:32:24,397 [null] INFO Quick1X.QuickConnectDlg - Disabling Onboard server certificate validation
2021-08-12 15:32:24,397 [null] DEBUG Quick1X.QuickConnectDlg - Detected Windows version - Windows 8.1
2021-08-12 15:32:24,694 [null] ERROR Quick1X.QuickConnectDlg - Received error HTTP Status code - 403
2021-08-12 15:32:24,694 [null] DEBUG Quick1X.Util - Running config task as logged in user

The service is used for SSO and starting the onboarding, for the user <name>.com

But during the onboarding process the error is displayed on the PC and I getting this access tracker log: user <name>.com login status rejected.
No service is being classified.

This is the application log:

So, if anyone can help me with this I would really appreciate it.
I think I am still missing something in the service configuration, but the guide is not giving me the solution for this.

Thanks and best regards,
Martin

------------------------------
Martin Verbon
------------------------------

Original Message
4. RE: ClearPass Onboard + Cloud Identity Provider OKTA

Kudos
Herman Robers

Employee
Posted Aug 24, 2021 05:36 AM

Reply Reply Privately
You probably fixed this already. If not, please work with Aruba Support or your Aruba partner.

If that second authentication is not matching any service, you should create a service that matches. The Input tab will likely give information about the type of authentication and the parameters you can match on.

It is expected to have 2 authentications with onboarding. One is to authorize the Onboarding process and is mostly if the user is allowed to onboard, the second is for issuing the client certificate and that one has all kinds of info about the device and if that is allowed to be onboarded by the user.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message