Security

 View Only

  • 1.  ClearPass | SAML for 802.1X wired client

    Posted Feb 28, 2022 04:42 AM
    Hello Everyone,

    I open this thread about a question on ClearPass (6.10.3) and SAML.

    I have a customer who needs to interact with a partner as an identity provider. This partner use an LDAP which manage 50% user and computer account used by my customer.
    Partner invalid the use of EAP-TLS (there is no PKI), so PEAP-MSCHAPv2 is mandatory with joining ClearPass servers to domain controllers. Partner doesn't allow this.
    So, I have suggested the use of Proxy Radius, possible for the partner but, want to avoid it... I know, this partner is not an easy one.
    Partner want to use SAML, OpenID or OAuth2.

    I read in documentation that ClearPass do some SAML but only for SSO on CPPM admin, operators and guests pages... Can you confirm this ? There is a way to use an SAML server as IsP and use it as an authentication source in a service ?
    If not possible, I have the same question for OAuth ?

    Thank you for your help.


    ------------------------------
    Guillaume Lorre
    ------------------------------


  • 2.  RE: ClearPass | SAML for 802.1X wired client

    Posted Feb 28, 2022 11:50 AM
    Your customer basically rejected everything that is possible. What is closest to what they request is to use Onboard with Cloud Identity Provider.

    There is no way to do 802.1X with SAML, as SAML required network connectivity, and you can't reach the SAML to do the authentication before you authenticated.

    Best would be to get an experienced engineer to work with your customer and explain the options there are and if they reject solutions what that means for them. They probably have to compromise at some point if they want to have a secure and working solution.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: ClearPass | SAML for 802.1X wired client

    Posted Mar 01, 2022 01:20 PM
    Hello Herman,

    Thanks for your answer.

    Yes, this customer is quite... challenging. And I agree with your analyze on the need to do some compromise to have a working and secured solution. To be honest, I need to prove that Proxy Radius is the best for them : best for the customer and partner context.

    I don't have many experiences with SAML. And maybe I don't understand well. So here, my understanding : if ClearPass is the SP, can it relay an authentication request, received from a NAD via RADIUS, to an IdP (via parsing Radius to SAML) ? Or the client need network connectivity ? Maybe RADIUS and SAML attributs are incompatible ?

    I have read your documentation on OnBoard with Cloud Identity Provider. It seems to be very close to what we need on this architecture. So I have some questions :
    - Is it possible with other IsP than Azure, Google and Okta (I see with need to import some dictionnaries, so maybe it's open) ?
    - How are counted OnBoard licences with this authentication ?

    About OAuth2.0, problem is the same ?

    Have a good day.



    ------------------------------
    Guillaume Lorre
    ------------------------------

    Original Message


Related Content