Azure

Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.

Azure

ClearPass can interact with Azure to retrieve user group details and perform policy enforcement. This source is only capable of authorization, not authentication.

The following permissions must be granted to the Azure App Short form for application. It generally refers to the application that is downloaded and used on mobile devices. for ClearPass to be able to fetch user and group information:

To configure the Azure service:

1. Navigate to Configuration > Authentication > Sources. The Authentication Sources page opens.

2. Click the Add link. The Add Authentication Sources page opens with the General tab displayed. Each configuration parameter is empty, and the authentication source type is undefined.

General Tab

When Azure is selected as the source type, the General tab displays session timeout information unique to Azure.

Figure 1 Azure > General Tab

3. Specify the following Azure> General tab parameters:

Table 1: Azure > General Tab Parameters
Parameter	Action/Description
Name	Specify a unique name of the Azure service.
Description	Provide additional information to identify and differentiate the Azure source from others with similar attributes.
Type	Select the type of source. In this context, select Azure.
Cache Timeout	Sets the time (in seconds) Azure session data remains in policy server cache before it is removed.
Timeout	Set the time an Azure request should wait for a response from the server before it can terminate.

Primary Tab

4. Use the Primary tab to define settings for the Azure primary server resource.

Figure 2 Azure > Primary Tab

5. Specify the following Azure> Primary tab parameters:

For ClearPass to access user details from Azure, a ClearPass administrator needs to create an application and register it. Once registered, obtain Tenant ID and Client ID details from the application’s Overview page. The application also requires certain permissions in order for ClearPass to integrate smoothly.

Table 2: Azure > Primary Tab Parameters

Parameter	Action/Description
Base URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet.	The Base URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. is the default OAuth Open Standard for Authorization. OAuth is a token-based authorization standard that allows websites or third-party applications to access user information, without exposing the user credentials. URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. used to fetch authentication access tokens for accessing Azure. The Base URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. is not an editable field.
Tenant ID	Enter the Azure tenant ID identifying the Azure AD instance. The ID represents a reserved Azure AD service instance an organization receives and owns when it signs up for Azure. Each Azure AD tenant is unique and separate from other Azure AD tenants.
Client ID	Enter an Azure Client ID as a unique identifier for an application created in Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed..
Client Secret	A secret string that the application uses to prove its identity when requesting a token. The client secret can also be referred to as the application password.

Attributes Tab

Select the Attributes tab to set Azure query filters and the attributes fetched by using the filters.

The current Azure release only retrieves user group details from Azure. It is the only attribute currently used for authorization. Any configurations and additional filters are not currently supported.

Figure 3 Azure > Attributes Tab

6. Select Add More Filters as needed, and set a filter query and related attributes fetched from the SQL DB store.

Figure 4 Azure Configure Filter Screen

Table 3: Azure Configure Filter Page Parameters

Parameter	Action/Description
Filter Name	Enter the name of the selected filter.
Filter Query	List the specific user details that need to be fetched. By default, the query includes an ID . The syntax for querying the user field is described below: users/?$select=mail,id,department,accountEnabled,<Other Filters> The above query fetches the mail, ID, department and accountEnabled attributes. Even though the current release supports fetching these attributes, it cannot be used within the enforcement profile.
Name	Specify the name of the attribute.
Alias Name	Specifies the alias name for the attribute. By default, this is the same as the attribute name.
Data Type	Specifies the data type for this attribute such as String, Integer, and Boolean.
Enabled As	Specify whether the value to be used directly as a role or attribute in an enforcement policy. This bypasses the step of assigning a role in Policy Manager through a role-mapping policy.