topic Re: Capsule VPN w/ certificate authentication and authorization from AAD in SASE and Remote Access

Capsule VPN w/ certificate authentication and authorization from AAD

rooKing — Fri, 12 Jan 2024 10:35:26 GMT

Hi CheckMates!

I'm working on a PoC for our customer and this is what I'm trying to achieve:

Intune deployment of Capsule VPN for Android using personal certificate for authentication and Azure AD (Entra ID) for authorization. Azure certificate connector takes care of requesting certificate and Intune deploys it to Android device. I followed sk170320. The VPN client deployment with site info, authentication method and pushing the actual certificate is currently working. Also the certificate authentication itself is working by using generic* profile with 'Public Key' option selected as authentication scheme.

What I need to get working is authorization with Azure AD. I don't know how to get the user to match a group in AAD (pdp monitor does not show a role for the Android device). I also have a TAC case open where I have explained the case and asked if this is even possible. I haven't gotten a no-no response, so I assume it is possible. I have created Azure AD object and I call pull the groups from the AAD.

I have also tried to follow many different documents about getting the roles from the AAD but all of those refer to SAML. We are not using SAML in this case. Followed this and this.

Background why not using SAML.

Devices used here are Android phones. These phones are not personal i.e. they are shared devices and they have multiple users.

One device is for on-call plumber no.1 and when his/her shift ends phone is passed to plumber no. 2. Second device is for nursery and different people there use the common phone for accessing company resources via VPN.

Group info (role) is needed in order to create access roles for the different lines of work because they access different company resources. E.g. group_plumber_android for plumbers and group_nursery_android from nurseries.

Versions:
Capsule VPN for Android 1.601.25
Gateway in which the client is terminated to, R81.10 JHF take 129
Android OS 13

I would really appreciate if someone could help me with this.

Re: Capsule VPN w/ certificate authentication and authorization from AAD

G_W_Albrecht — Fri, 12 Jan 2024 11:15:55 GMT

I would suggest to involve CP TAC in a SR# - POC or not should not be an issue...

Re: Capsule VPN w/ certificate authentication and authorization from AAD

rooKing — Fri, 12 Jan 2024 12:33:42 GMT

Thanks for a swift reply.

As mentioned I have a TAC case open - and it has been open for almost 2 months now. In that SR case we first tried to resolve certificate authentication problem and after that remote access user group problem - thanks to some tidbits of information given to me in this SR I managed eventually tackle those problems myself. Now I have asked TAC to walk me through how to configure the authorization part towards AAD.

I created this post to CheckMates in parallel. I was hoping that someone has been fighting the same problem and might get a solution faster.

Re: Capsule VPN w/ certificate authentication and authorization from AAD

PhoneBoy — Fri, 12 Jan 2024 20:47:49 GMT

You claim you're not using SAML, yet you provide links to a SAML-related configuration.
The only other place to gather groups from is LDAP...is this what you're doing?

Re: Capsule VPN w/ certificate authentication and authorization from AAD

rooKing — Mon, 15 Jan 2024 13:29:48 GMT

Yes, documents are related to SAML. I was trying to be creative and pickup stuff from those that would be relevant for fetching groups from AAD.

Nevertheless I finally got an answer from TAC last Friday and what I'm trying to do is not possible. So I need to get back to drawing board. Many many hours down the drain. ☹️

Thank you for everyone for showing interest on this case.

Re: Capsule VPN w/ certificate authentication and authorization from AAD

rooKing — Tue, 16 Jan 2024 11:55:31 GMT

One more try. Could someone lead me to a new path how to achieve the goal?

And the goal is:

- Deploy Capsule VPN to Android devices via Intune. (This I know now how to do. 😀)
- Authenticate the Android device itself because they are used by group of people instead of just a dedicated user.
- Group the devices so that the groups can be used for authorization so that a specific group can be used to give access to specific applications