topic Re: How to Implement Microsoft Entra ID Registration with OpenID in ExtremeControl

How to Implement Microsoft Entra ID Registration with OpenID

Antonio_Opromol — Fri, 06 Sep 2024 09:26:07 GMT

Hi,

I've updated my XIQ-SE + ExtremeControl to latest version

and I'm trying How to Implement Microsoft Entra ID Registration with OpenID

I've configured Captive Portal for Entra ID registration and the test is successful

I've added the nac rule:

But on the client, when press the Button "Sign in with Microsoft" nothing happen (network login and Register as Guest works instead).

How can I debug what's the problem?

Re: How to Implement Microsoft Entra ID Registration with OpenID

Ryan_Yacobucci — Fri, 06 Sep 2024 12:52:21 GMT

Hello,

Are you allowing client traffic out to Microsoft through the walled garden on the policy on the controller or switch?

The button should redirect the client out to login.microsoftonline.com, if the client has access to this resource blocked.

Thanks
-Ryan

Re: How to Implement Microsoft Entra ID Registration with OpenID

Zdeněk_Pala — Fri, 06 Sep 2024 17:19:35 GMT

both the Access Control Engine and the client must have access to the Microsoft

Re: How to Implement Microsoft Entra ID Registration with OpenID

Antonio_Opromol — Sat, 07 Sep 2024 08:18:30 GMT

Hi Ryan and Zdenek,

I've added login.microsftonline.com to the allowed URL and domain in the network settings and allowed web of the captive portal

but when I click on the Microsoft login button the redirection to microsoft site doesn't happen.

If in the web client browser I try to go to https://login.microsoftonline.com I've a redirect page but empty:

Probally I don't put the Allowed web site in the correct format ....How debug more deep the problem?

Re: How to Implement Microsoft Entra ID Registration with OpenID

Antonio_Opromol — Sat, 07 Sep 2024 13:20:04 GMT

I want to add the result of a new test I've made: I've added in the allowed website the following domains: msauth.net and office.com and now If in the browser of the unauthenticated client type: https://login.microsoftonline.com I'm redirected to the login page of Office 365 and after the username and password I'm lgged in to office 365.

Instead if I press the button for Window auth on the NAC authentication page of the Captive Web Portal , nothing happens...

Re: How to Implement Microsoft Entra ID Registration with OpenID

Zdeněk_Pala — Sun, 08 Sep 2024 19:11:08 GMT

can you elaborate more on "nothing happens"? The button should open Microsoft web. are you waiting long enough to see 404 page? in case your policy is blocking the traffic? When you do a packet capture on the client what is happening? do you see attempt of the connection from the web browser?

As a troubleshooting step, you can permit all HTTPs traffic (HTTP will be redirected to the captive portal, but HTTPs will not be blocked). You can eliminate the problem with policy definition.

Can you also check you can reach the Microsoft pages from the access control engine?

Re: How to Implement Microsoft Entra ID Registration with OpenID

Zdeněk_Pala — Sun, 08 Sep 2024 19:16:12 GMT

The communication is between the web browser on the client and Microsoft. Setting "Allowed Sites" in the ExtremeControl is used when the traffic is proxied through the Access Control Engine. I do not expect any behavior change if you change the "Allowed Sites" list.

Re: How to Implement Microsoft Entra ID Registration with OpenID

Antonio_Opromol — Mon, 09 Sep 2024 15:03:38 GMT

Hi Zdenek,

when I press the "SIgn in with Microsoft" button, in my wireshark session on the client, I don't see DNS request for any microsoft websites, seems that there is no redirection to the login page of microsoft and I don't see client connections to microsoft website at all.

In my configuration for the redirection I use the "Proxy DNS" method because my lab router (pfsense) seems not works with PBR.

Re: How to Implement Microsoft Entra ID Registration with OpenID

Antonio_Opromol — Tue, 10 Sep 2024 08:53:34 GMT

Hi Zdenek,

I've modified the configuration in my lab in manner that now I redirect to ExtremeControl Captive portal with PBR, but the behavior is still the same. In the wireshark on the client when I click on the Log in with Microsoft button nothing happens (seems there is no code binded to the button but sure is problem in mi case because in your works).

I can debug the code\script that is under this button on the portal page?

Re: How to Implement Microsoft Entra ID Registration with OpenID

Zdeněk_Pala — Tue, 10 Sep 2024 19:17:42 GMT

Hi Antonio.

I did not test the Entra ID with PBR.

Regarding troubleshooting/debugging, I suggest opening a GTAC ticket.