How to Implement Microsoft Entra ID Registration with OpenID

This Help topic describes the steps for implementing an Authenticated Registration using OAuth 2.0 OpenID Connect with Microsoft Entra ID (formerly Azure AD). For additional information, watch this video - EntraID with OpenID.

A common use case for this configuration is to apply different network authorizations to different users based on the security group membership in the Entra ID.

This topic includes information and instructions on:

Requirements

These are the configuration requirements for Entra ID Registration.

  • The Access Control engine must have Internet access in order to retrieve user information from Microsoft.
  • The ExtremeControl Unregistered access policy must allow access to the Microsoft site (either allow all SSL or make allowances for Microsoft servers).
  • Create a unique Microsoft Entra ID application on the Microsoft Entra ID page (see instructions below).
  • The Portal Configuration must have Microsoft Registration enabled and include the Microsoft registered Application ID and Application Secret (see instructions below).
  NOTE: You must copy and paste some text values between applications during the registration and configuration.
Ensure you copy and save the required values when instructed, as some are unique secret values that cannot be viewed or received again.

Creating an Entra ID Application

When implementing an authenticated registration using Entra ID and OpenID Connect, you must first create an Entra ID application. This generates an Application ID and Application Secret that are required as part of the ExtremeCloud IQ Site Engine. Use the following steps to create and register an Entra ID application.

  1. Access the Microsoft Entra ID page with your Admin credentials at https://portal.azure.com or https://entra.microsoft.com.
  2. Select Manage Microsoft Entra ID > View.
  3. Select App registrations > New registration.

  4. Enter the following information into the required fields:
    • Name - Enter a name for the Entra ID registered application
    • Supported account types - Select Accounts in this organization directory only - (Single tenant)
    • Redirect URI (Optional) - Select a platform: Web
    • Redirect URI (Optional) - Enter a URI, using HTTP or HTTPS with the FQDN of the Captive Portal followed by /msopenid_oauth
      •  NOTE:

        The best practice is to use HTTPS protocol and install a trusted certificate as the Captive Portal Server Certificate to Access Control Engine.

  5. Select Register.

  6. Select Add a certificate or secret, OR you can navigate to Certificates & secrets in the left menu.
  7. Select New client secret.
  8. Enter the following information into the required fields:
    • Description - your description of the new credentials
    • Expires - define how long the client secret is valid, when the client secret expires the user cannot authenticate
      •  NOTE:

        The expiration of the client secret cannot be modified in Entra ID.
        The best practice is to create a new client secret before the existing one expires and update the value in ExtremeControl settings.

  9. Select Add.


  10. Copy the secret value to the clipboard. This is the only time the client secret is displayed. Save the secret value for your App Secret.

  11. Select API permissions > Add a permission.
  12. Select Microsoft Graph > Delegated permissions
  13. Select the following delegated permissions:
    • In the OpenID group select:
      • email
      • openid
      • profile
  14. If you require a different authorization to apply for different users based on security group membership, select the following additional delegated permissions:
    • In the Directory group select:
      • Directory.Read.All

    • In the Group Member group select:

      • GroupMember.Read.All

    • In the User group select:

      • User.Read.All

  15. If you performed the previous step, select Application permissions and add the following additional permissions:

    • In the Directory group select:

      • Directory.Read.All

    • In the Group Membership group select:

      • GroupMembership.Read.All

    • In the User group select:

      • User.Read.All

  16. Select Add permissions.
  17. Select Grant admin consent for <your company domain>, and select Yes to confirm.
  18. Select Overview.
  19. Copy the displayed Application (client) ID value. Save this value for your App ID.
  20. Select Endpoints.
  21. Copy the displayed OAuth 2.0 token endpoint (v2) value. Save this value for your Token Endpoint.
  22. Copy the OpenID Connect metadata document value. Save this value for your Discovery URI.

Portal Configuration

You must provide the values you saved during the creation and registration of the Entra ID application in the Portal Configuration.

Use the following steps to configure an Authenticated Registration using OpenID in the Captive Portal:

  1. From ExtremeCloud IQ Site Engine, open the Control > Access Control tab.
  2. In the left-panel tree, navigate to Configuration > Captive Portals > "select the portal to use" > Website Configuration.
  3. Select Authentication Settings.
  4. Select Authenticated Registration, and select Save.
  5. In the left-panel tree, navigate to Website Configuration > Authenticated Registration.
  6. Select the OpenID Registration checkbox.
  7. Select Edit..
  8. Enter the following information into the required fields:

    • Discovery URI - enter the value copied as "OpenID Connect metadata document"

    • App ID - enter the value copied as "Application (client) ID"

    • App Secret - enter the value copied as "Client Secret"

    • Token Endpoint - enter the value copied as "OAuth 2.0 token endpoint (v2)"

    • Scope - enter "openid email profile"

    • Image - optional picture to display to the user at the captive portal

    • Button Text - text presented on the button. Different languages can be defined in the Website Configuration > Look & Feel > Launch Message String Editor

    • Redirect URI - information only, not configurable. Indicateswhere the OpenID process redirects the user once the authentication is successful.

  9. Select OK.
  10. Select Save.
  11. Enforce the new configuration to your engines.

User Group Configuration

After you have configured the Portal registration for OpenID using the steps above, use the following steps to configure a User Group:

  1. From ExtremeCloud IQ Site Engine, open the Control > Access Control > Group Editor > User Groups.
  2. Select Add.
  3. In the Name field, enter a name for the user group.
  4. In the Create Group area, click Add.
  5. In the Attribute Name , select memberOf.
  6. In the Attribute Value, enter the name of the security group. You can exactly match the group name or use a wild card *.
  7. Select Save.

Access Control Rule Configuration

After you have configured the Portal registration for OpenID and the User Groups configuration using the steps above, use the following steps to configure an Access Control Rule:

  1. From ExtremeCloud IQ Site Engine, open the Control > Access Control > Configuration > select your configuration > Rules.
  2. Select Add.
  3. In the Name field, enter a name for the rule.
  4. Select the Rule Enabled checkbox.
  5. In the Description field, enter a description for the rule.
  6. In the User Group field, select the user group you created during the User Group Configuration.
  7. In the End System Group field, select Web Authenticated Users.
  8. Select Save.
  9. Enforce the new configuration to your engines.

Multiple NIC Environment Configuration

The best practice for security is to not mix the Management and Control traffic with the user traffic.

After you have configured the Portal registration for OpenID, the User Groups configuration, and the Access Control Rule configuration using the steps above, you can configure a multiple NIC environment:

  1. From ExtremeCloud IQ Site Engine, open the Control > Access Control > Engines > Engine Groups > select your group > select your engine.
  2. Select Details, and in the Interface Summary area select Edit.
  3. From the eth0 area, in the Mode field, select Management Only.
    The eth0 NIC is now configured for Management, Monitoring Services, Network Services, AAA Servers, Device, Portal: Management, and Traffic Snooping.
  4. From the eth1 area, in the Mode field, select Registration & Remediation Only.
    The eth1 NIC is now configured for communication with End-System and Traffic Snooping, and also configured to communicate with Entra ID.
    IMPORTANT: Internet access must be available from eth1 NIC.
  5. From the eth1 area, the Host Name field, enter the FQDN of the Redirect URI.
  6. Select Save.
  7. Enforce the new configuration to your engines.

Deployment Considerations

Read the following deployment consideration prior to implementing an Entra ID Authenticated Registration configuration:

  • The best practice for the Captive Portal configuration is to use HTTPS and FQDN.

  • The High Availability Captive Portal can be configured using multiple DNS records for the same FQDN.

  • After a successful authentication at Entra ID, the web browser is redirected to the NIC of the Access Control Engine where the captive portal is enabled. If multiple NICs are configured, then the NIC with the lowest number where the Registration & Remediation is enabled is used.

  • If the Access Control Engine is configured as a proxy, then you must update the Allowed Web Sites.

 

Related Information

For information on related help topics: