AAA, NAC, Guest Access & BYOD

How to use Onboard with single SSID on IAP

This article explains about the following.

1: Creating a Dot1x SSID on IAP.
2: Creating required roles.
3: Configuring the Guest part of CPPM
4: Creating services on CPPM to handle the Onboarding request.

 

Environment :

 

This KB article is written for a combination of  CPPM 6.2 and IAP 6.2.1.0-3.3.0.3_39227

The IAP must be on 3.3 code for this setup to work.

 

Below are the detailed Configuration steps.

1: Configuration on the IAP

1a: Add CPPM as a radius server on IAP.

Navigate to "Security - Authentication Servers" and add the below details.

 

 

rtaImage.png

 

1b: Create Roles on IAP.

Navigate to  "Security -> Roles"

Create a Preauth role as below. The client will initially fall into this role after authentication. This is a general captive Portal role with HTTP and HTTPS access to the CPPM server and Enforce Captive Portal.

 

rtaImage (1).png

 

 

To Add "Enforce Captive Portal" click on "New" and add the captive portal rule as below.

The URL is the Device_provisioning page on the CP Guest : /guest/landing.php/device_provisioning.php


For Android devices, we must provide access to  the IP of Google play store in the Preauth Role.

The Redirect URL is Optional.

 

rtaImage (2).png

 

 

1c: Create a Dot1X SSID with the below specifications.

Give a generic name to the SSID and select the Primary usage as " Employee".

 

rtaImage (3).png

We can use configure this based on the network requirements.

 

rtaImage (4).png

 

 

Map the CPPM server as Authentication Server and select the Key management as " WPA-2 Enterprise".

 

rtaImage (5).png

 

On this page, we will see a Role "onboard-single" created by default. We will need to add Aruba-User-Roles for this specific Role.

Add two Aruba user roles as " Aruba-User-Role <-> contains <-> Q-Preauth then Role = Q-Preauth".

And " Aruba-User-Role <-> contains <-> Onboard-single then Role = Onboard-single".

 

rtaImage (6).png

 

 

Make sure that the Order is set as below.

 

rtaImage (7).png

 

 

Hit "Finish" to save the the configuration.

This Completes the Configuration of the IAP.


2: Configuration Of Clear Pass Guest.

Navigate to " Home » Onboard + WorkSpace » Onboard/MDM Configuration » Network Settings"

Click on the "Example networks" and select "Edit"

 

rtaImage (8).png

 

Please configure this page as per details below or your requirements.

 

rtaImage (9).png

 

 

Make sure that the SSID field contains the exact SSID name.
 We can leave the other tabs in this page as Default.

Navigate to " Home » Onboard + WorkSpace » Deployment and Provisioning » Provisioning Settings"

and select "Provisioning Address:" as the correct interface. In this test condition we are using themanagement port.


As in this lab setup, we do not have a proper certificate installed, so we are disabling the validate certificate option.

 

rtaImage (10).png

 

 

All the other configuration may be left as default.

This completes the CP Guest Configuration.


3: Configuration on CPPM.

Make sure that the IAP is added a NAD on CPPM.

 Navigate to "Configuration » Service Templates" and select the Default "Onboard Authorization" template.

 

 

Give a generic name for user understanding and select the Wireless Controller from the Drop down and provide the SSID name and click "Add Service".

It will automatically create two services as below.

 

rtaImage (12).png

 

The First Service is: Single-SSID Onboard Authorization -  RADIUS Enforcement ( Generic )

     -We can leave this service with the defult configuration. If required we can add Active directory as an authentication source also.

 

rtaImage (13).png

 

The Second Service created is " Single-SSID Onboard Provisioning" is a "Aruba 802.1X Wireless"service.

    - We will need to edit the enforcement profiles in this service.

Navigate to "Configuration » Enforcement » Profiles" and apply a filter as below.

 

rtaImage (14).png

Edit the "Single-SSID Onboard Post-Provisioning" as below.

Add the Post provisioning Role  name in the Attributes tab and save the Profile.

 

rtaImage (15).png

 

Edit the "Single-SSID Onboard Pre-Provisioning" as below.

Add the Pre provisioning Role name in the Attributes tab and save the Profile.

 

rtaImage (16).png

 

Save and exit . The above two prfiles are mapped to the service, so making changes here will reflect on the service as well.

Create a Guest user on CPPM.

Navigate to "Configuration » Identity » Guest Users" and click on " Add Guest User" to add a new guest user.

 

rtaImage (17).png

 

Hit Add to add the user.

This completes the configuration on CPPM.

 

Connect a Device to the SSID.

In this test condition, we use an Android smart phone.

The guest user name is "onboard"

Connect the device to the SSID and authenticate yourself. once authentication is complete, we get an IP to the device. Fire up a browser and it should redirected to the Device Provisioning page.

Below is the Access tracker details.

rtaImage (18).png

Version history
Revision #:
1 of 1
Last update:
‎07-17-2014 08:24 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.