Now, before going into the details and before we start discussing our scenarios, I will discuss in very high-level Microsoft services and Microsoft Azure Cloud Services. Mainly when we talk about integration, we start always by Azure AD. Azure AD is the main product in Microsoft Azure Cloud, it is an Active Directory in the Cloud. In many ways, it is different than legacy AD. Typically, most enterprises, have active directory domain services and they have active directory On-prem that achieve all their authentication and authorization requirements. Microsoft have something similar in the Cloud, but it is not exactly the same. They do have Azure AD, which I would say the main product for Microsoft when it comes to Cloud identity, the minor product is Azure AD that can store the accounts for users and for devices. When it comes to October integration or when it comes to ClearPass integration, this Azure AD has the following protocols that we care about. Azure AD support Cloud authentication or web authentication using protocols like SAML, OAuth2.0 or OpenID. In this course we will discuss mainly the integration using SAML and OAuth2.0. There is a way to integrate with Azure AD using these protocols. These protocols are mainly for web authentication or HTTP authentication. They are not compatible with IEP. For example, you cannot use these protocols to authenticate the 20X because the way they work is very different than net protocols like the 20X or radius. They work in a different way. We will discuss how to integrate with Azure AD using these protocols. Then the other protocol or other product that is related to our deployment or to our lab or our course is Intune. Now Intune was re-branded as I discussed. Now it is Endpoint Management for Microsoft. Whether you call it Intune or Endpoint Management, it is the same for me. In this course, I will call it Intune and most of the time because this is the name used until now by most customers. I will call it Intune, which is the same as Endpoint Manager. There are different portal. The portal for Azure AD is different than the portal for Endpoint Management. I will have both portals and I'll do the configuration from both of them. When it comes to integration with Intune, everybody have something called the extension, which is mainly an API that is based on OAuth2.0 authentication to integrate with Intune and to hold a sync or for replication of Intuitive database in ClearPass. We'll discuss this in more details in the second scenario, which is part 3 of this course. The third product or the third services available in Microsoft Cloud is Azure AD Domain Services AADDS. Although this service support LDAPS and LDAPS, but it is not the same as Legacy Active Directory on-prem. You cannot for example, do full IEP integration with this service, you cannot join ClearPass to Azure AD domain service in the Cloud. It is not the same as on-prem AD, and still it has many challenges maybe or limitations. We cannot achieve the same as legacy AD with this service. In our course, we will not use this service. Our focus will be mainly on the other two services. We will not talk about the service, we will not use the service in our course. I just mentioned it just to say that there is something like this in Azure Cloud, but in our integration. When it comes to our course, we will focus on the integration with Azure AD as Cloud identity, we will talk about the integration with Intune as MDM, and we will build our scenarios based on this integration. This vertex are synced between them. When you have devices added to Azure AD, the devices will be added to Intune typically based on the license you have. But there is a way to have them sync when it comes to new devices and users. There are many details to that. This is not the same way always, but there is a way to integrate between them and they can sync their databases. What you have in your intro bases usually is on-prem AD, which is the legacy active directory you have on-prem. Even this legacy active directory can sync with your Azure AD. Typically, we use, in Microsoft they call it the Azure AD connect. It can be Cloud sync or Azure AD connect. In this course, I do have Azure AD Cloud Sync, which is actually for me it was easier to implement and needs less hardware. In my lab, I have my on-prem AD integrated or synced or connected to Azure AD. This connection is one way, so the accounts are created on-prem and they are synced to the Cloud using this connect. Yeah, typically you would have this in your environment if needed actually. Again, as I mentioned before, we are here not designing Azure AD Cloud. We are talking only about the integration between Azure AD and ClearPass. This is the scope of this course and my focus will be on this integration only. When it comes to integration with these services, we typically have these three types of integration. First, we have onboard integration. So ClearPass on board product can integrate with Azure AD using something called SAML or OAuth. There are two different protocols that can be used for Cloud Identity Integration. The first protocol is SAML, which means you need to create an application in Azure Cloud. This application is needed for the integration between a ClearPass and Azure AD. The second method or the second protocols can be used as OAuth 2.0. You can use this either SAML or OAuth 2.0. You don't need both of them to do this integration. Should you use this or that to discuss in Part 2 of this course. In Part 2, before we start the scenario of Part 2, I'll discuss in high level the difference between the two when it comes to ClearPass integration and we'll do the integration with SAML. We would do the full integration with SAML. We'll see the result. Then we will repeat the same steps in OAuth 2.0 And see the results. You can decide for your environment which one is better for you, or maybe both can achieve what you are looking for. We will test both of them and we'll show you exactly the difference between the two. This will be our first scenario. Our scenario we'll focused on this protocol. Actually, this is in Part 2. Now we are in Part 1. This is Part 1, the introduction. After this introduction, we will have Part 2. In Part 2, we will have our scenario mainly for onboard. In Part 3, we will have another scenario that talks about Intune integration. Intune will be considered as MDM or MAM for your environment. and we'll talk about the integration between the ClearPass and Intune. This is done using something called ClearPass extension. ClearPass extension is a micro service or container within ClearPass that is mainly created to achieve certain integration requirement. Somehow instead of adding a new features into ClearPass, the main code of ClearPass, other bar sometimes at the services as an extension to clear bars. This make these services somehow isolated from the main ClearPass. If there's any changes on these extensions, anything to be added or removed, it can be done to this extension without affecting the main product or the main ClearPass software. Intune integration happens as an extension. Every extension will have an IP address. You can construct the extension as another server or another device implemented within ClearPass. It is not actually a separate device. It is a micro service or a container within a ClearPass, but somehow it has an IP address it has its own integration with ClearPass in a way that can be considered as a separate device. To do into an integration, we start by creating this extension and then once created, we customize it to integrate with Intune. The extension somehow works as a device between ClearPass and Intune. It integrate with Intune for one side. It integrates with a ClearPass from the other side and it does the full integration between the two by integrating with both of them. We will talk more about this when it comes to Part 3 or the second scenario of our course. This extension uses OAuth 2.0, which means there should be application or a client ID and secret value that is used to authenticate ClearPass extension to Azure Intune. Then we will talk a little bit about the integration and the sync between Intune and ClearPass endpoint database. This integration with Intune is very similar to any MDM Integration. Usually for MDM Integration, what happens is that ClearPass replicate the MDM database in ClearPass, this replication takes place to endpoint database, which is the main database for devices and ClearPass. We'll talk more about it in this part, Part 3. We will talk about the option of real time. Sometimes you want to make sure that when you authenticate devices to Intune, this happens in real time. When we do the replication, this replication takes place at certain time. When authenticating the device, you want to make sure that whatever values or attributes or status collected during this replication is still valid and to verify this validity, there is a way to do some real-time authorization. This real-time authorization still depend on end point database. We'll talk more about it in this Part 3. After Part 3, we will have small part actually. The last part is mainly about how to deploy ClearPass in Azure Cloud. ClearPass is available as a product from Azure Marketplace. What is the design or what is the requirement? It all depends on your actual requirements or business or technical objectives. For this course, I focus on how to create this node. How to build the cluster between this node and the rest of your on-prem ClearPass servers. But when it comes to the whole design, it all depends on your requirements. But when you deploy ClearPass in the Cloud, you need to consider the latency, availability, and other factors the same way you consider when it comes to on-prem clear pass. Usually we have ClearPass near the Active Directory usually. We prefer to have ClearPass in the same data center or the same segment as Active Directory to make sure that communication between them happens at low latency. When you have a ClearPass in the cloud, you need to make sure that maybe you have an Active Directory in the cloud. Some customers they do have ClearPass and legacy AD in the cloud. This legacy AD is part of their on-prem AD and integrated with it somehow. You need always to keep in mind that latency is an important factor in authentication and also availability and other factors. For this course, my focus will be mainly on creating this node, building the cluster between this on-cloud node and on-prem node. We have a ClearPass on-prem which is available right now in my lab. We will build ClearPass on cloud. We will build the cluster between them, and this will be the objective of this part. This part will not take long, and there you will discuss them in concept during that part. These are the parts we will have in our course. Part 1, the introduction that I'm doing right now. Part 2 is mainly about Onboard and the integration with Onboard. Part 3 will be about integration with Intune. Part 4 about having ClearPass in the cloud. Let's discuss the same concepts again in visual format. If you take it from visual perspective, usually we have our users on-prem whether wireless or wired. They are connected to switches and to controllers. We have ClearPass, usually on-prem. This on-prem cloud is integrated with on-prem AD. Typically you will have EAP-PEAP here, or sometimes EAP-TLS. It all depends on what you have right now. Let's assume you have EAP-PEAP in your environment and this integration happens with on-prem AD. This is very typical and most customer they have this up and running already. When it comes to Azure integration, usually you start by having Sync, which is something beyond the scope of this course. You usually need to have some sync between your on-prem AD and Azure AD as a starting point. When it comes to ClearPass integration in this course, I assume that you have the same accounts here and there synced between the two. The sync usually is one way, typically, using a Cloud Sync or AD Connect. When it comes to this course in the field scenario, which is Part 2, we will discuss this integration. We will onboard some devices. During this onboarding process, the authentication will happen against Azure AD in the cloud using SAML, OAuth 2.0. Then in Part 3, we will integrate our ClearPass with Intune. This happens through ClearPass Extension and this is using authentication protocol OAuth 2.0 During this authentication, the database of Intune will be replicated to ClearPass and you will see this in action. We will see the attributes and how to use them to build our policies based on these attributes. This is in brief about Microsoft Azure and high-level discussion about services we have in this cloud. Now if you want to know more about Microsoft, and before we start this course, I would really suggest that, first of all, you read about ClearPass documentation. Aruba has already documentation about ClearPass integration with the Cloud. They discuss the protocols and the features for this cloud integration or for this Azure AD integration. In this course, I will use these documents as the base for our discussion. Sometimes the menus are different than what you have in these documents. When you see the videos and when you see the way I implemented, you will find exactly where to find these options and in what menus to have this integration done. I will discuss the scenario. As a scenario, so it will not be only about the feature itself, it will be about the scenario and they use scenario that you can implement in your environment. I would take this feature, I will combine it with other knowledge about Azure and ClearPass to build full scenario. This is the document in the first link, it is a PDF document about ClearPass Onboard and Cloud Identity Providers. The document was created in 2017, updated in 2018. Now this is the available version right now. When you do the deployment, you need to verify the version. Make sure that you are reading in the latest available document in Aruba. The link I provided it in the slide point to Aruba support portal, so it should have the latest document. But it's always good to verify by doing multiple searches to make sure that the document you are using is the latest for that subject. This is the document name, Onboard and Cloud Identity Providers, and the current version is January 2018. This document is mainly about ClearPass Onboard module integration. It starts by talking about the integration with Microsoft Azure, which we are discussing in this course. There is another part to discuss Google Integration, and we've talked about it in different course. There's a section about the integration with Okta also. When it comes to ClearPass Onboard integration with Microsoft Azure, there are two protocols, SAML and OAuth. We will discuss them in more details in Part 2. The difference between them, we will implement this together in the lab, and we will test this together in the lab. The second document where you can find more information is this document. This document is about ClearPass integration with Microsoft Intune. It is mainly or only for Microsoft Intune integration. This document discusses ClearPass extension, how to create and configure the extension for your Intune integration, and how to build the configuration from Microsoft Intune side also. This is the document in the second link, Microsoft Intune, and this document was created first in 2016. Was last updated in March 2021, and so it is very recent actually. Again, when you do the deployment in your environment it is good to verify the version to make sure that you are using the latest version of this document. Microsoft is changing the integration and some options in the cloud. We need to make sure that the document you are following has the latest documentation from Aruba and Microsoft side. One thing to consider here is the extension version. Right now Intune extension version and ClearPass is version 5. The extension went through different versions. For example, there was version 1, 2, 3, 4, and 5. These changes are actually mainly because Microsoft did some changes or sometimes to add some features. As I mentioned before, Microsoft does many changes recently, and this needs Aruba to do modification in the extension to be compatible with these changes. This is the beauty of extension. With extension you can do changes to the extension without affecting ClearPass code. When Microsoft does any change or any modification that needs Aruba to modify the integration method or integration features or integration details, Aruba can generate or can create a new version of this extension. The extension version we are using in this course is version 5, and this document is about ClearPass Intune extension version 5. Make sure that the version in the document is the same as what you have in your deployment. Also make sure that the version you're using in this document is the latest. When it comes to Microsoft in my lab, I have Site-to-Site VPN created between my home lab and Azure AD. This document can give you an idea how to build this in your home environment. If you have your production environment, there's a good chance that you have this done already. Maybe you have something more than just a VPN. Maybe you have ExpressRoute to Microsoft Azure. Regardless of what way you have between your environment and Microsoft Azure, it is good to have some encryption or some security on this link. In my lab I have Site-to-Site VPN between my home lab and Azure AD deployment. If you have something else in your production, it is not the main part of our course, the same features, the same integration can happen regardless of what connectivity you have between your environment and Microsoft. Now, when it comes to certificates in my lab, I have PKCS and they have PKCS connector in my Active Directory, so Microsoft Intune in my environment can request certificates from my Active Directory certificate server, and this happens through this connection. If you have it already in your environment, this is good. If you are building home environment or home lab this document or this link can help you to build your own connector and to integrate between your ADCs in your on-prem with Microsoft Intune in the cloud. This is not the main part of this course, this course is mainly about integrating ClearPass with Microsoft Azure. But at certain point in second scenario in part 3, we will generate certificates for in-devices, and we will use EAP-TLS to authenticate clients or users to wireless controllers. When it comes to sync between on-prem AD and Azure AD. This link may help you to build your lab. If you have production environment, there's a good chance that you have this already done. Maybe you have more than just cloud sync. Maybe you have plus AD Connect cloud sync. This link can help you to decide how to go if you are building your lab, if you have production environment, there's a good chance that you have this already done. In my lab I'm using AD Connect cloud sync mainly because it is simple to deploy and it needs less hardware than other options. For me all what I care about is just to have a replica between my on-prem AD to cloud AD, and this can be achieved by using this AD Connect cloud sync. Before you start this course I really suggest that you have these documents available, as we will refer to these documents from time to time during our scenarios. If you have your home lab, I suggest you read these documents and make sure that you have this in your environment. Even if you have your own production environment, it is good to know what I have in my lab and to understand exactly my lab setup.
