Hello again. In the previous video we discussed configuration steps in high level. In this video, I will go over these steps in more details. Then we would do this step together in the lab. Let's go over these steps in more details first. In the first step in Google Workspace, we will create SAML app. In Google Workspace, we go to Apps, then Web and Mobile Apps, Add App, and then Add Custom SAML App. After creating the app, we need to collect single sign-on URL and certificate. This single sign-on URL and certificate would be needed for next step to configure single sign-on from ClearPass side. After completing this step, we will go to ClearPass Identity. We will configure single sign-on from ClearPass configuration, Identity, Single sign-on. There we need to configure single sign-on URL that you collected in the previous step. We need also to configure the certificate. Before applying the certificate here, we need to trust it first, we need to go to ClearPass trust list and add the certificate as a trusted certificate. Once this is completed, we will be ready to add this to onboard. In a ClearPass onboard, we need to enable single sign-on to the current onboard base we have. I have onboard already configured so I need only to add SSO. I will go to this option, Use Single sign-on. I will enable single sign-on. This configuration will use single sign-on we configured in the previous step. With these three steps, contractors will be able to onboard their devices and they will have the certificate installed. They will be ready to connect by EAP TLS to secure SSID. Now for contractor account authorization against Google Cloud Identity, we need to enable secure LDAP. To enable secure LDAP, we go to Overview, LDAP and we enable LDAP from there. We then LDAP configuration, we need to generate certificate, and we need to collect the certificate. We need both, the certificate and private key. They will be needed for ClearPass extension in the next step. We need also username and password. This username and password will be needed for authentication source. When we configure LDAP authentication source, we will use this username and password to integrate with Google. After configuring secure LDAP connector, we will be ready to enable the same from ClearPass side. From ClearPass side, we need to configure extension. Secure LDAP with Google is provided as an extension in Aruba and the extension name is Google Secure LDAP Connector. We need to install the extension and then we need to configure the extension with IP address, which is used by ClearPass to communicate with this extension. We need also to add a certificate. The certificate and private key should be uploaded before that in content management, then should be selected here. After configuring the extension, we will be ready to configure policy manager to add LDAP authentication source. We go to Configuration, Sources, add authentication source and from here we add LDAP authentication source. We configure the IP address we collected from the extension. We configure the username and password we collected from secure LDAP connector in Google Workspace. We configure the filters from Aruba documentation. This filter is provided in Aruba document and can be taken from that document. After this, we still need to update services and enforcement policies as per our requirements. We will do this together in our lab. Now, this is hardware configuration. This is my Google Admin. From here we'll go to Apps, then Web and mobile apps, Add App, custom SAML application. I'll give it a name. You can add description and icon. For me, I will leave them on default. Continue. I'll copy this single sign-on URL and entity ID. I'll download the certificate, and I will leave it in the downloads folder. Continue. Now for ACS URL and Entity ID, I'll take them from Aruba document. In Aruba document, we can find the ACS URL and Entity ID. We need to replace ClearPass FQDN with the value in our lab. We would do with now together. Let's take the value first, to my notepad and the other value. Now to my ClearPass to see what is the FQDN. This is my ClearPass Administration, Server Configuration and this is the FQDN. I will replace this value here and here. The first one is the ACS, the second one is the SP, or Entity ID. I will take them and add them here. Check Signed response, and the rest is optional. I'll just continue. I will not customize the Attributes and Finish. Now let's do cloud-course configuration. We go to Identity, Single Sign-On, we configure provider ID, which is Single Sign-On URL. We make sure Onboarding is enabled. For the certificate, we need to trust the certificate first. Update. Go to Administration, Certificate, Trust List and choose the file that I downloaded. Use SAML, Add Certificate. It is enabled. It is California Google Work Google. Back to Configuration, Single Sign-On. This is the one. This is what we need to do here. Update. Yes. Now for Onboard, I have my configuration done already. We go to Provisioning Settings. I have one ready for SAML already. Single Sign- On is enabled in this one, and it is configured as required. Now our SAML Configuration is ready. Let's modify the configuration in Captive Portal to add this link. The link in my SAML is this link. I'll go to my Captive Portal, Configuration Pages, Self Registration, this is the page I will use in it. I will add that link in the folder. I have one link added already. I need to modify it to match what they have. This is the link. Save Changes. One more thing I need to do is an instant. I need to go to Configuration. I need to create a new role, and to add Google Access as part of this role. I will call it Google-Preus. The configuration of this role, is provided here in the document. You need to go to this link, to find these domains to be enabled. I will enable them one by one. Then I will go to my Guest SSID and modified Precure to be Google-Preus. Now for accounts in my Google Cloud Identity, if we go to users, I have these users for contractor account, the name is Contractor 1, and this user is part of contracting group. Now let's connect to contractor device see the setup. I will connect to Guest. It will ask me to Onboard. I will Onboard from here. I will type the contractor username and password, Constructor1@mycloudcourse.com. Next, the password. Next. Accept. App is not enabled for that user. Let's go back to our app Admin Console. This is our app. It is off for everyone. We didn't assign it for any group. I will enable it only for one group which is contractor group , on, save. Back to our app. It is one for one group which is contractors. Only constructors can Onboard their devices, which is what we need. Back to our contractor device and let's test again. I'll start the process again. I will just disconnect and connect to SSID Onboard. As you can see, user's have authenticated. Let's go back to ClearPass. Monitoring, Access Tracker, so this is good. The user can authenticate. Before onboarding contractor device and connecting to security's ID, let's go back to our slides and see where do we stand. We did this step. We did SAML app, we customize it also. We configured Google Workspace for SAML. We configured a ClearPass Identity. We configured Onboard and now we need to enable LDAP. Secure LDAP is needed for authorization, so before we onboard the device and before we connect to security's ID, we need to enable secure LDAP and make sure that authorization works as expected. Let us start by this step Number 4. We need to go back to Google Workspace and enable the LDAP. We are in Google Admin console again, Apps, Overview, and then LDAP. This is to enable and configure secure LDAP. If you don't see this one, this means your subscription or your license doesn't include LDAP. I click on "LDAP" and "LDAP Client", give it a name, Continue. I'll need it for the Entire domain and Entire domain. I'll leave everything in the default, and they would Read group information. Add LDAP Client. Now download certificate, Continue, and I need to configure the Access credentials. Generate a new credentials, copy the username and password. So to my notepad, the username and the password. I have the certificate, I have the username, and I have the password. What about what I need from here? Service is off, I need to enable it. Service is on and I'll make it on for everyone, Save. Now this configuration is done, we need to go to ClearPass and do the same. The certificate I downloaded include both the certificate and the private key, and I saved it in my download folder. Now to ClearPass, Install extension, Google, search. Google Secure LDAP, Install and it is installed. Now before configuring this one, we need to collect some information. The IP address, we can use any available one. For the certificate, we need to upload it first. We need to go to Content Manager, Private Files, then Create a New Directory. We would call it Google Secure LDAP, Create Directory, go to that directory and upload the files. This is the certificate, "Upload" then the private key, "Upload." Now certificate is ready, I'll go back to Extensions, Install, Google, "Search", "Install" For the IP address, I will use the Address 3 because I used two already for another extension. For the certificate, I will use the certificate. This is the certificate, that's CRT, and this is the private key, which is that key. Install. Now it is running. The IP address is 172.17.03. I need to go now to CPPM configuration, authentication sources and integrate a new one. I'll call it Google LDAP. Type is Generic LDAP. Then for the primary tab, the host-name is the extension IP, which is 172.17.03 in my case. The port is 1636. For the bind DN, we will use the username and password we generated in Google Cloud from security app connector. I have them in my Notepad. This is the bind DN, CN equals and I paste what I get from the App connector. For base DN I'll type my domain. Now for attributes. For authentication, I use this filter. Save and Save again. Now we need to modify the service little bit. For dot 1x SSID. I used to have local AD for authorization or for authentication. And we'll add Google LDAP as another source. Let's connect once and see how it goes. I'll go back to my client. I'll connect to guest. Connect. Then on board my device. I am already authenticated, statically connect. Run, yes, next, connect. Now user is connected. Let's go back to clear the paths and see what happened. This was the on board pre-auth. On board authorization. In the pre-auth we did nothing, we only accepted the request. We collected this information from the user and we allowed the user to connect. For authorization it was wide open. We did nothing. As long as users are authenticated, device will be on-boarded. You can limit on boarding to one operating system, for example here or maybe you can ask SAML to send some attributes and apply them here Or in pre-auth. In my case, I did not do anything of this. In my case, in Google and Google Workspace, I limited the SAML application to contractors only. I did the limitation from Google Workspace side. Now when it comes to EPLS. We collected these attributes. These attributes were collected from Google LDAP. We collected the group name and user DN for that user and as a result, the output was contractor role. We can verify an instant Client. This is my contractor and you got the contractor role. In this video, we did the configuration from Google's side and from cliff passed site or contractor devices. We on boarded contractor devices and we connected the the device to EPLS secure SSID. We verified the result and we did some tuning and clear pass. Thank you for joining and see you in the next video.
