Close

HPE Aruba Networking Blogs

Combine Meridian & ClearPass to improve user experience – 1/3

By Fabien Giraud, Blog Contributor

I'm pretty sure most of you already know the Aruba Meridian solution. If you don't, please have a look here to get an idea of its power. In my experience, people that know Meridian tend to think it means "an app for location-aware features and blue dot" but that's definitively not only that. Based on this page you will learn that one of its many functions is an easy and fast way to build a mobile app for both content delivery and location services.

And what I will show you in this three blogs series (a blog trilogy!) is that you can go even further. You can customise the user experience depending on who is using your Meridian-powered app. This has to deal with Meridan – ClearPass integration (you must know this name "ClearPass", just in case here is a link).

  • In the first blog you will learn how to configure ClearPass and Meridian to communicate together (main steps) for basic authentication;
  • in the second one, I'll show how to add some parameters which can be used to customise content delivery;
  • and finally in the last blog, I'll explain how to deal with this integration to deliver user-specific content.

So now let's begin our trip. First, you need to know that integration between Meridian and ClearPass uses OAuth2. The process of such authentication is shown (in a really simple way) on the picture below:

Meridian-CPPM-part1-1.png

As you can imagine (after having seen this picture), the configuration steps will be as follows:

  • ClearPass configuration
  • Meridian configuration

Let's describe more in detail each of these two steps.

ClearPass configuration

  • Add a new API profile in ClearPass Guest (see below picture for the parameter values):

Meridian-CPPM-part1-2.png

  • Create a new API client which will be sent by Meridian App (Warning: the name must be "meridian" in lower case)

Meridian-CPPM-part1-3.png

  • Optional: if you plan to use the ClearPass guest database to authenticate the Meridian App users, you have to define a guest service in ClearPass and also to add a guest login / registration page.
    The advantage of doing this is that the users can use the same credentials to connect to guest wifi AND Meridian App.
    In this case, we can have the following process:

Meridian-CPPM-part1-4.png

  • Create a service to allow Meridian to authenticate in ClearPass (using Oauth2)Enforcement Profile (We'll customise this in a second blog with additional parameters). You can use the name you want (here I use Meridian Login2)

Meridian-CPPM-part1-5.png

And the policy: if the user who connects through Meridian App is from the guest db à he'll have the Meridian Login2 profile we just defined:

Meridian-CPPM-part1-6.png

And finally the service rule the Meridian authentication will use.

We can also fine tune the service rule. Here (since I only plan to use one Meridian App) all the OAuth2 request will go to this service. But we can also restrict to some client ID or type …

Meridian-CPPM-part1-7.pngIn the Authentication source, we add the Guest User Repository (to be able to use guest account in the App). You can also add other sources (such as the corporate AD so that corporate users can authenticate without having to create guest accounts)
Meridian-CPPM-part1-8.pngAnd we specify the enforcement policy defined before:
Meridian-CPPM-part1-9.png

Meridian Configuration

To configure your Meridian App, first connect to your favorite website: https://edit.meridianapps.com/

For OAuth2 integration, the only configuration to make on the Meridian side is "Organization à User Login" page. Here we need to specify:

  • "User Login URL" = where to try to authenticate (e.: https:///api/oauth),
  • "User Info URL" = where to get info (token + parameters) on the user (e.: https:///api/oauth/me)
  • (Optionally) "Create Account URL" = where a user can create a new account, using ClearPass Guest self-registration for example (e.: https:///guest/<self_reg_page.php).

Meridian-CPPM-part1-10.png

WARNING

In order to make the Oauth2 integration between Meridian and ClearPass work, the ClearPass server must:

  • Have a public IP (accessible through HTTPS)
  • Have a public DNS (in a domain you can manage, this is important to be able to generate public certificate for this entry)
  • Have a public certificate (to get one, I used https://startssl.com)

Test it!

Let's check the basic authentication is working …

We created a test@test.com user in the guest management. And we simulate the Meridian Oauth2 process using HTTPIE command line tool (or CURL, or the fantastic Chrome App: Postman).

Syntax of the httpie cli I used is (in that case we can use local IP since I specified not to verify the certificate in the CLI):

http –verify=no POST https://meridian@/api/oauth grant_type=password username= password=

As you can see, the first step is to get an "access-token" …

Meridian-CPPM-part1-11.png

And we can see the authentication in the ClearPass logs:

Meridian-CPPM-part1-12.png

Since we didn't yet add some parameters to the Oauth2 authentication, there's not much more information to get with this token. So "what else?" … add custom parameters! J

If you arrive at the same result as above, this means that you have the foundation for Meridian authentication via ClearPass and I encourage you to read the second blog of this series around "adding custom parameters".

I hope you enjoy this first part of the trip. Stay tuned for the next 2 blogs of this Meridian- ClearPass trilogy.