Hello again, I am Ahmed [inaudible]. In this part we will discuss contractor devices. We will discuss different ways to on-board these devices. We will discuss the scenario in more details and configuration steps. Let's first analyze the requirements small, and discuss different options we have. So for these devices, they are unmanaged devices and they should authenticate using certificate. Which means we need to have Aruba Onboard. Aruba Onboard is mainly for unmanaged devices. It can be used to issue certificates for these devices, and it doesn't need to have any permanent software in these devices. This is our first decision. We will go for Aruba Onboard. The second option is with our visual goal for secure or guest SSID. Aruba Onboard can be integrated with secure SSID, which means contractor needs to connect to secure SSID and authenticate using EPIP, then on-board their devices, or the other option is to use guest SSID. In guest SSID, we need to modify the board a little bit to add one link for contractors to onboard their devices. For this course, I will use guest SSID. In your production environment, you may consider secure because it is more secure actually, the traffic will be encrypted all the way, but in my case, I will use guests because it is simple and my guest portal is HTTPS anyway, so this is enough security for me in my lab. Now for onboarding, we have two options. We can use SAML or we can use OAuth2.0. In my case, I will use SAML to onboard devices. The details for OAth2.0 configuration are provided in Adobe documentation. But for me in this course, I will follow SAML. For the account verification, I would use LDAP. Google workspace provide secure LDAP connector. I will use this connector in my lab. I have required subscription and required license. This option provide me with all what I need. Now, let's discuss the scenario in more details and the workflow for this connectivity. Now, first of all, contractor will connect to guest SSID and we'll get this portal. Then contractor clicks on onboard link in guest captive portal. We need to modify captive portal to provide this link, I will show you exactly how to do this in our lab. After that, CPPM will bring pre-auth user account against Google Cloud Identity using SAML. We will configure SAML and we'll show you exactly how this will happen. Once the account is authenticated, CPPM will authorize the device and SAML attributes. There are two services in this case, we have one service for pre-auth, which is needed for SAML, and another say this for authorization. After the CPPM would create and install certificate and configure secure SSID and contractor devices, there's a software or agents used in this case, which is a quick connect for Windows devices. Once this is completed, contractor devices will be ready to connect to secure SSID using EAP-TLS. Contractor with disconnect from guest, and we'll connect two secure SSID using EAP-TLS. ClearPass will verify the certificate against local onboard certificates and at the same time, ClearPass will read the CN, the common name in the certificate, and will verify user account against Google secure LDAP. If all good, the account and certificate are all good and valid, the contractor will get contractor role. Steps 1-5 will be done only one time to onboard the devices. They will not be repeated every time user connects. Only steps from 6-9 will be done every time user connects. Now after understanding the workflow and the details of this scenario, let's discuss configuration steps. Foreign configuration steps, we will follow these two coming from Aruba Onboard and the Cloud Identity providers. The version I have right now is this version. Before you do this configuration, please make sure to have the latest version from Aruba. The document has different sections for Microsoft and for Google. For us, our focus will be on Google. We will configure SAML first to onboard devices, then we will configure secure LDAP to authenticate or authorized accounts. Configuration steps in high level can be summarized as well the following. First of all, in Google workspace, we need to create several application. Then we need to create ClearPass identity. We need to configure SSO parameters that we collected from SAML application. We need to modify ClearPass Onboard configuration to enable SSO single sign-on. Then we need to modify services, captive portal and update pre-auth role. Pre-auth role in Aruba instance should allow the access to Google services. The exact links are provided by Aruba documentation, and I will show you what I did in my lab. With these steps, onboarding will be ready and the device will have the certificate needed to connect. Now after connecting by EAP-TLS, we need to analyze that count to make sure that that the account is still valid in Google Identity. For secure LDAP connectivity, we need to configure Google Workspace to enable secure LDAP and from ClearPass side and Guest module, we need to add and configure extension. We will see this in more details during our lab. After adding and configuring the extension, we need to configure the ClearPass Policy Manager to add LDAP authentication source. This LDAP authentication source will be used to verify user accounts or contractor accounts against Google Cloud Identity. In this video, we discussed the first scenario, we analyze the requirements, we made different design decisions, and we discussed configuration steps. In the next video, we will start configuring Google and ClearPass to achieve these requirements. Thank you for joining and see you in the next video.
