This article explains about the following.
1: Creating a Dot1x SSID on IAP.
2: Creating required roles.
3: Configuring the Guest part of CPPM
4: Creating services on CPPM to handle the Onboarding request.
This KB article is written for a combination of CPPM 6.2 and IAP 184.108.40.206-220.127.116.11_39227
The IAP must be on 3.3 code for this setup to work.
Below are the detailed Configuration steps.
1: Configuration on the IAP
1a: Add CPPM as a radius server on IAP.
Navigate to "Security - Authentication Servers" and add the below details.
1b: Create Roles on IAP.
Navigate to "Security -> Roles"
Create a Preauth role as below. The client will initially fall into this role after authentication. This is a general captive Portal role with HTTP and HTTPS access to the CPPM server and Enforce Captive Portal.
To Add "Enforce Captive Portal" click on "New" and add the captive portal rule as below.
The URL is the Device_provisioning page on the CP Guest : /guest/landing.php/device_provisioning.php
For Android devices, we must provide access to the IP of Google play store in the Preauth Role.
The Redirect URL is Optional.
1c: Create a Dot1X SSID with the below specifications.
Give a generic name to the SSID and select the Primary usage as " Employee".
We can use configure this based on the network requirements.
Map the CPPM server as Authentication Server and select the Key management as " WPA-2 Enterprise".
On this page, we will see a Role "onboard-single" created by default. We will need to add Aruba-User-Roles for this specific Role.
Add two Aruba user roles as " Aruba-User-Role <-> contains <-> Q-Preauth then Role = Q-Preauth".
And " Aruba-User-Role <-> contains <-> Onboard-single then Role = Onboard-single".
Make sure that the Order is set as below.
Hit "Finish" to save the the configuration.
This Completes the Configuration of the IAP.
2: Configuration Of Clear Pass Guest.
Navigate to " Home » Onboard + WorkSpace » Onboard/MDM Configuration » Network Settings"
Click on the "Example networks" and select "Edit"
Please configure this page as per details below or your requirements.
Make sure that the SSID field contains the exact SSID name.
We can leave the other tabs in this page as Default.
Navigate to " Home » Onboard + WorkSpace » Deployment and Provisioning » Provisioning Settings"
and select "Provisioning Address:" as the correct interface. In this test condition we are using themanagement port.
As in this lab setup, we do not have a proper certificate installed, so we are disabling the validate certificate option.
All the other configuration may be left as default.
This completes the CP Guest Configuration.
3: Configuration on CPPM.
Make sure that the IAP is added a NAD on CPPM.
Navigate to "Configuration » Service Templates" and select the Default "Onboard Authorization" template.
Give a generic name for user understanding and select the Wireless Controller from the Drop down and provide the SSID name and click "Add Service".
It will automatically create two services as below.
The First Service is: Single-SSID Onboard Authorization - RADIUS Enforcement ( Generic )
-We can leave this service with the defult configuration. If required we can add Active directory as an authentication source also.
The Second Service created is " Single-SSID Onboard Provisioning" is a "Aruba 802.1X Wireless"service.
- We will need to edit the enforcement profiles in this service.
Navigate to "Configuration » Enforcement » Profiles" and apply a filter as below.
Edit the "Single-SSID Onboard Post-Provisioning" as below.
Add the Post provisioning Role name in the Attributes tab and save the Profile.
Edit the "Single-SSID Onboard Pre-Provisioning" as below.
Add the Pre provisioning Role name in the Attributes tab and save the Profile.
Save and exit . The above two prfiles are mapped to the service, so making changes here will reflect on the service as well.
Create a Guest user on CPPM.
Navigate to "Configuration » Identity » Guest Users" and click on " Add Guest User" to add a new guest user.
Hit Add to add the user.
This completes the configuration on CPPM.
Connect a Device to the SSID.
In this test condition, we use an Android smart phone.
The guest user name is "onboard"
Connect the device to the SSID and authenticate yourself. once authentication is complete, we get an IP to the device. Fire up a browser and it should redirected to the Device Provisioning page.
Below is the Access tracker details.