To be frank, this will not be a tiny bite but a more detailed walk-through of what happens under the hood when a guest authenticates using ClearPass Guest with a Social Login provider. In this particular case, I will cover what happens under the hood with Microsoft Azure AD using OAUTH 2.0. The same logic applies to other cloud providers. In a future post, I will cover how to configure this workflow. For now, let’s focus on how it works in details.
The Catalyst Behind this Post
Islam Zidan, one of the Aruba Experts in our partner community here in UAE, called me to discuss an interesting requirement from one of our customers. The customer wants his employees to access the Guest Network using their Azure Active Directory account instead of using the self-registration workflow. We were both sure it can be done using OAUTH or SAML but we didn’t want to waste time trying it at the customer site especially that access to the site is restricted these days. So, we decided to work jointly on testing the setup offline using both SAML and OAUTH. While testing this, we thought that others engineers might find it useful especially that it is not very well documented so we decided to write this post series explaining what happens under the hood!
The Authentication Workflow!
The below diagram shows the authentication workflow and the interactions between the various components. “Azure AD”, in the below diagram, is used as a “simplification” to cover multiple Azure services including Login, graph.windows.net..etc.
Step by Step View!
Steps 1/2: The user will connect to the guest network and will be redirected to the ClearPass Guest Portal page. The user will be placed in guest-logon role which will allow DHCP, DNS, https access to ClearPass, https access to Social Provider Login FQDNs, Captive portal redirection to ClearPass.
Step 3: The user will press login button and this will kick start the OAUTH workflow.
Steps 4/5: The browser will be redirected to the login page of the Cloud Provider (Microsoft in this case)
Step 6: The user will fill in the account details and the password and then sign in. In the post request, the client_id, redirection_url (callback) will be specified. The browser will be expecting a code as response_type.
Step 7: Azure will return an access code for the browser with a redirect back to the ClearPass guest page submitted in Step 6.
Step 8: The browser will be redirected back to the ClearPass Guest page. It will post back the code it obtained from Azure.
Steps 9/10: ClearPass will use the code, along with its client-id and secret to access Azure graph APIs. As per my understanding of OAUTH code workflow, ClearPass should exchange the code for an access token but I couldn’t any logs on ClearPass for this step. The logs that are available show ClearPass calling Azure APIs to collect the information about the user and his group memberships.
Step 11: ClearPass creates an endpoint entry and populates it with the fields it acquired from the Social Login Provider. The interesting field is the social_password which gets sent back to the controller to complete the radius authentication.
Step 12: ClearPass will instruct the controller to post-back back to controller so controller can do a radius authentication against Clearpass. The social_password is sent here.
Steps 13/14: Browser will post back to controller and controller will send radius request to ClearPass including the social password.
Steps 15/16: ClearPass validates the provided details against the Social Login Repository and returns a Radius Accept. The controller changes the role for the user and the user now has guest access.
This completes this workflow steps in details. Feel free to share your comments and feedback below. This next post explains the configuration in depth.
If you are interested to check other ClearPass Tiny Bites, click here.
Why-Fi++ 
Great Post Ayman. Even though I am not based in UAE , I am sure the chocolate is KitKat 😅
I had a question related to security of the AD passwords on the open network.
We had some challenges with setting open network with CP Auth tied to AD credentials as some of the folks were against the idea.
This was due to the fact that someone can use wi-fi pineapple etc to spin up a similar CP page and lure clients to pass on their credentials.
LikeLike
Hi Nitesh,
Thank you for the comment!
Usually, when you use an Open Wi-Fi network traffic will not be encrypted over Wi-Fi and you need to use higher level protocols to encrypt the traffic. So it is best practice to use a trusted certificate for the captive portal pages to prevent anyone from sniffing the traffic.
However, the concern that you raised is valid and it will not be solved even with https on the captive portal page / login pages. Having an evil-twin AP with a similar captive portal look and feel will most likely fool most clients who will submit their credentials to the fake AP/portal.
The recommended ways to resolve this or at least reduce its risk
1- Use WIPS/WIDS to detect/prevent rogue evil-twin APs
2- Educate clients to check for https for the specific domain names while authenticating
3- Use WPA3 (Traffic on the open Wi-Fi network will be encrypted)
4- Use MFA for authentication so even if the AD password was compromised, you will not be able to access resources.
Ayman
LikeLike
Hi I followed your steps and finished. But no success. I want to ask how to jump to url with azure and login. Can you give a more detailed step? thanks
LikeLike
Hi, did you check part 2 https://whyfiplusplus.com/2020/11/10/clearpass-tiny-bite-8-clearpass-guest-social-login-with-azure-ad-part-2/?
It has all the detailed steps.. Can you please explain where you need more clarificaiton?
LikeLike
Hi Bro
I found an easier way to docking azure ad,clearpass docking with azure ldaps
use only cative portal authentication, this way can work
LikeLike
Hi,
Thank you for your message and for sharing this useful feedback. My goal in this post is to explain how does ClearPass Social login works under the hood and Azure is just used as an example..
LikeLike
Hi I followed your steps and finished. But no success. I want to ask how to jump to url with azure and login. Can you give a more detailed step? thanks
LikeLike
Hi Ayman,
Thanks for sharing your knowledge. All steps through 1-11 were great! I’m getting the same result as you.
But now I’m at step 12 and can’t go any further. The client has no idea what the next url to redirect is (client still get role guest-logon if I show user-table on controller)
What is the next URL that the customer will click on? I’m not getting it from your step 12-16 post. Could you please share with me?
LikeLike
Hi Suphat,
You are using Aruba controller or Instant AP to integrate with ClearPass? If yes, then you will need to have a certificate installed on the controller or instant APs. You will need to go to your ClearPass guest page and under login section and put thecthe IP address for postback to point to that certificate common name.
Check page 16 from this guide https://whyfiplusplus.com/wp-content/uploads/2020/11/Aruba-Wireless-Guest-Access-Troubleshooting-1.pdf
LikeLike
Hello, Ayman.
Thank you for sharing the troubleshooting documents.
To receive postback from ClearPass, we use Aruba Controller. The wildcard certificates used by ClearPass and the controller are the same. However, only ClearPass has a common name (FQDN added from DNS server mapping A record. For the controller, common name will be deployed soon).
I simply tried to insert with controller’s ip address and checked with client after login from Microsoft Azure AD login Page on page 16 of your tutorial at field “*IP Address.”
It will redirect to a field like “https://x.x.x/cgi-bin/login” where x.x.x.x is the field’s *IP Address. I checked the client and it can go to that URL without any restrictions, such as the admin role browsing to https://x.x.x.x/cgi-bin/login, but the outcome is the same. It’s a blank sheet of paper. So we’re not sure if deploying the controller’s common name and changing the field “*IP address” to the controller’s common name on Page 16 will fix our problem. Do you have any idea for this?
LikeLike
Hi,
You should never use an IP address with https as it will not work (users will get a certificate warning..
You only need an A record for Clearpass. The controller doesn’t require an A record. The controller will do dns interception based on your certificate. If you are using a wildcard certificate then you need to setup the postback url to captiveportal-login.yourdomainname.com
This doesn’t have to be in DNS as the controller will do this interception.. You only need to set an A record for clearpass for example guestlogin.yourdomain.com..
Check page 14 in the troubleshooting guide..
LikeLike
Hello, Ayman.
Thank you for sharing your knowledge. As you stated, the controller does not require an A record. captiveportal-login.mydomain.com will also be used to intercept by default.
However, we are now faced with a new issue. The URL that will be returned to the device after successful Azure login is ” captiveportal-login.mydomain.com/cgi-bin/login?errmsg=Access percent 20denied ” with a blank white page. And devies still get guest-logon roles.
Could you please tell me how to keep the Azure return to CPPM postback in services or controllers?
LikeLike