Hello again. In the previous video, we discussed the scenario of student devices. We discussed the requirement and configuration steps. In this video, we'll do the configuration in Google and in ClearPass, we will do the testing and the configuration, and we will do any tuning required. Let's move to the lab and start our testing. Before we start configuration in the lab, let's discuss the steps in more details. To enable MDM Integration, first of all, we need to create an API in Google MDM or in Google Cloud. To do that, we need to go to Google Cloud Platform, which is different platform in Google. Sometime they call it GCP. We need to create a project, this quarter, for example, ClearPass MDM Integration. Under this project we need to enable Admin SDK API, we need to enable this API, and then we need to go to Credentials and create a new credentials. The credentials are OAuth2.0 Client IDs. We need to get the client ID and some information. You can see the steps here. We start by the new reject, Admin API, we need to enable this Admin API, we need to create Web Application OAuth2.0 Credentials (Client ID and Secret), we need to copy this data, then we'll be ready for the integration. Now Google will ask for another thing which is Consent Screen, we will discuss it in the lab when we come to this configuration. Then after that we will move to ClearPass. In ClearPass, we will create Endpoint Context Server. This Endpoint Context Server is needed for Endpoint Database in ClearPass to sync with Google MDM. The information needed are what we collected in the previous step, which are mainly client ID and client secret. These information are the information we created an OAuth2.0 Credentials, under the API, under the project we created in the previous step. With that, the integration is complete, but we may need to modify the timers. To modify the timers, we go to Administration, then Server Configuration. From here we go to Cluster-Wide Parameters. Under General tab, we have information about Endpoint Polling Interval and Start Time. In my lab, I'll leave them on the default, but you can modify them if needed. Now let's move to the lab and start our configuration. Just to give you an idea, I have these users created in my lab, and I have these devices, I have one Chromebook, managed by Google MDM, and the information about this Chromebook is here. The MAC address is this one. We can easily identify it by 03d5, which are the last four digits of the MAC address. This device is school owned device and managed by Google MDM of the school. If the student connect using this device, they will get student role, otherwise they will get internet role. Now to enable the API, we'll move to different portal, it is not from Google Admin, but we've got another portal which is Google Cloud Platform. In this Platform, we will create a new project, I'll call it ClearPass Google Integration, or maybe ClearPass Google MDM Integration. "Create", I'll make it ClearPass Google MDM. Now I will go to Admin SDK API. It is faster to search for it. I will enable it, then I will go to Credentials to create a new OAuth2.0 Credentials. Now it gives me a warning that I need to configure OAuth consent screen, this is the screen that Admin will receives to approve the integration. Let me start by configuring this one, I will use default value when possible. It is internal for me in my lab, "Create". I need to give a name for that app, I'll call it ClearPass Google MDM. Support email is the Admin in my case. I will add the domain, which is my domain, Developer contact information, it is also the Admin, in my case. "Save and Continue". I will leave everything on the default. "Save and Continue", and back to Dashboard. You may want to customize these things more or to provide maybe a logo and other information, for me, I'll make it very simple. Now back to Credentials, I'll create a new credentials, they are OAuth 2.0, and it is a web application. I'll give it a name. Maybe I'll call it ClearPass QAuth to it at all maybe. I need to add authorized redirect URI. This you URI is provided in a little bit documentation, you can find it here. Here they provide some information about consent screen and redirect URI. This is the format of the activity direct URI, I'll take it and paste it here. For me, the FQDN is CPP M1 that mycloud.course.com. Create. Now I need to copy these two values. I will go to my notepad, this is Client ID, and this is a Client Secret. I have these values saved here, and I can use them later when I configured clear pass. Now we are all got here, we've got to ClearPass and do the configuration from there, administration Endpoint Contexts Server , and add a new one. In the list here we find Google Admin Console, we can leave the name as it is. For a client ID and client secret, I will use the values that I carried from Google Cloud Platform, so this is a Client ID and this is a Client Secret. I will enable when he did server certificate, save, and now I can authorize a clear pass. I'll click here, it will take me to consent page. I have this account saved in my browser and they will allow. Now it gave me the message data please close this tab. I'll close it and go back here. I will enable to fetch end points from that server, and I'll click "Update." Now before I trigger poll, let's go to configuration endpoints, and make sure that we don't have an endpoint that is provided on Google Admin console, so right now we have no endpoints with Google Admin Console attributes. Please go back to contexts server, and then try to trigger poll. Are you sure? Yes. Now let's click here and see the result. We received information about two devices. It is through devices because my Chromebook has Wi-Fi MAC address, and Ethernet MAC address, and ClearPass, this is considered as two devices in endpoint database include pass, it cares about MAC addresses and if we MAC address is different device. Now let's go back to ClearPass and see what happened. If you go to configuration endpoints, and we selected the filter attribute source contains Google Admin Console, we can see two devices. One of them is the wireless interface for my Chromebook, the other one is the word interface, CA-E5 is the wired Ethernet, and 03-D5 is the wireless. My focus will be on the wireless interface because this is the interface I will use to connect to SSID. If you look into the attributes, we can see all these attributes connected for google. For me, I'll focus on this attribute. I want to make it symbol, and as long as I have attributes from Google Admin Console, I would assume this device is managed by this Console. This will be the attribute I would use in my policy and then my enforcement policy to decide what role to assign to that user. If this attribute is there, the user will get student role. Otherwise it would be internet only. Now let's go to Services and see what we have there. Back to Services, and the service are used for securities ID is the service, I'll modify the enforcement policy. My Enforcement policy right now is symbol, if Machine Authenticated by Active Directory, gave it for the access. If Machine Authenticated and bought the domain, give it full access. If user only, give it internet only. Now for students using Chromebook that is owned by the school, we need to give him some privilege which is between full access and Internet, and it is a student, and just for your info you have this role created here. If the user is part of student group in Active Directory, then they will give the role of student. So let me go to my enforcement, modify it rules, I will add a rule that says, if tips, role, equals student and at the same time, endpoint, source, equals, Google Admin Console, then see if the role to student. So assign an overall student save. This line should be above this line. I make it up a little bit. The sequence now is if the device is part of the active directory domain and it joined the domain, then it will get full access. If the device is not part of the domain, but it is managed by the Google Admin console, then it will get a student role. Otherwise, it will get Internet only. This all seems good, so I'll save and we can start this thing. save and save again. Now let's connect from personal device and the school on device and compare the results. First, I will connect from a personal device. I will connect from a mobile phone to security ID using student1 credentials. This is a personal device 66-30 is a personal device. Let's see the information. This is a student1 username. This is the service using EAP PEAP, and it got student role and user authenticated. This is not a machine domain device. It is not part of Active Directory domain, and the enforcement profiler Internet role. Let's see the details. This is a personal device. If we see authorization attributes, the user is student1, it is a member of student group, and in the endpoint attribute, there is nothing about being part of Google. The output was an Internet role. The radius response was Internet, and if we see in the instant AP, clients. The MAC address ends with 66-30, and the role is Internet. Now let's connect using Chromebook, which is managed by your organization or by school, and see the result. Now I will connect from Chromebook, which is owned by the school. Let's refresh and we can see this one. This one is the Chromebook that is managed by Google ADM. If you go to Google ADM, this is the MAC address, 03d5. I modified the view here to show the MAC address so we know exactly what device seen that request. This was seen by Chromebook, which is owned by the school and managed by Google ADM. Let's see the results. The username is student1. Same SSID and same service EAP PEAP. It got the same role student, and it is user authenticated. If we see the important details. This is the radius request. Chromebook is somehow identified as Linux not Windows for sure. This is the username, the same group in AD, and same attributes from Active Directory. When it comes to computed attributes, we have all these. If we see the endpoint attributes, we can see that inbound source is Google Admin console. Now for the output, this device got student role and this was sent to Aruba AD. Let's see Aruba AD, what was the role for that device? We need to create the role in instance. It's not created. So I'll go to configuration, security roles. I need to create a role called student, and save. Now let's try again. I will disconnect this device and wait for the device to connect again. Now the device is connected again, back to the output student, student, and in Aruba Instant let's goes to clients, as you can see, this device, which is a Chromebook managed by Google ADM and owned by school, got student role. The same user connected to another device which is a personal device, that Internet role. This moves the idea or moves the point that when device connect clear password verify with Google ADM. Actually it doesn't verify with Google directly. It verifies in endpoint database to see if device is managed by Google ADM. This is based on attributes and endpoint database. If we can see this attribute, this means device is managed by Google ADM. This all what we need in a clear path to decide that this device should get student role and not Internet roll. In this video, we did the configuration and testing needed for student devices. We saw how we can configure endpoint database to sync with Google ADM, and how can we use these attributes in our enforcement policy to provide these devices with special privilege, if they are managed by the school. I hope this video and this course was informative to you. Thank you for joining and have a good day.
