Environment : This Issue may be seen on CPPM 6.x version.
After connecting an Apple device to the Onboard SSID and authenticating, it will try to install the server certificate and it fails.
The exact error message may differ in different setups.
The error message may be any of the below.
1: Unable to download the certificate.
2: Page sits there and then message pops up stating "Unable to onboard the device".
The main reason for this error is
1: No SSL ( Server) certificate installed.
2: Wrong server certificate installed on the server.( the installed certificate may not contain the complete trust chain)
3: Untrusted ( Self signed) certificate installed.
Onboard for IOS will never work if Server certificate is unavailable. As a work around, we can force CPPM to use HTTP instead of HTTPS.
A valid DNS is also required for IOS onboard to work.
Below is the work around for this.
Switch to HTTP.
Navigate to Home » Configuration » Authentication on Clear Pass Guest login and un-check the option to use HTTPS as shown below.
Also disable Validate certificate option.
Navigate to " Home » Onboard + WorkSpace » Deployment and Provisioning » Provisioning Settings" on Clear Pass Guest and select"Provisioning Address:" as the correct interface. In this test condition we are using the management port.
Onboarding IOS devices will also fail if the server certificate does not contain all intermediates to the CA root.
Check that the intermediate certificate is visible with the server certificate:
Navigate to "Administration » Certificates » Server Certificate" and view the certificate.
If intermediate certificates are not visible in the UI, then in the certificate file, before importing, concatenate the following two together (see example below)
a: Server-cert
b: Intermediate Cert.
Open a notepad utility and save the certificates as below.
The first cert is the Server Certificate and the second Cert is the Intermediate cert.
-----BEGIN CERTIFICATE-----
MIIGKTCCBRGgAwIBAgIKFrxxWAAAAAAA5TANBgkqhkiG9w0BAQUFADBMMRMwEQYK
CZImiZPyLGQBGRYDY29tMR0wGwYKCZImiZPyLGQBGRYNY2xlYXJwYXNzLWxhYjEW
MBQGA1UEAxMNY2xlYXJwYXNzLWxhYjAeFw0xMzA5MDIxOTQ3NDVaFw0xNTA5MDIx
OTQ3NDVaMGcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vu
bnl2YWxlMQ4wDAYDVQQKEwVBcnViYTEOMAwGA1UECxMFQXJ1YmExFzAVBgNVBAMU
DkFydWJhX0NQUE1fNi4yMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
m4odzty/KYgne+NmKujWalUjVdytouDPKxKhh62blvjCoii3UW4PnNX705zYpdlY
h/oeAaf0v4a+LXWynDlHcgH7kCd6zldlUeSeVmGptfLEoF8gyO/UdsEcKJBKSv44
R0nLNwqoFf0/uXCfGlglUL1pWlDktCOMner27OsxEZOOSwk+2flTRsvFlJG93Oa6
snt7wGT3Y98KZ5XbwUNUD9WVkPUTHdxMkMbQ834IHmVtSlJYCBiA1GnnL8bx+k87
wT2Elp2xb8cGZv9T+2MygbgaAlksw6Ve9HHjkGuAZRtqsH/zkC2xXmRZCxEuNNf+
kxofAfVJk+zhsL94AutWNwIDAQABo4IC8DCCAuwwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwHQYDVR0OBBYEFMlSWq6QVglLQf2XT8juEZsDJbDQMB8GA1UdIwQYMBaAFO4v
mdWJ0yX5K4oaDUM4nKwNhBj3MIIBHQYDVR0fBIIBFDCCARAwggEMoIIBCKCCAQSG
gb5sZGFwOi8vL0NOPWNsZWFycGFzcy1sYWIsQ049YWlyd2F2ZS1sYWIsQ049Q0RQ
LENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZp
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Y2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50
hkFodHRwOi8vYWlyd2F2ZS1sYWIuY2xlYXJwYXNzLWxhYi5jb20vQ2VydEVucm9s
bC9jbGVhcnBhc3MtbGFiLmNybDCCATQGCCsGAQUFBwEBBIIBJjCCASIwgbIGCCsG
AQUFBzAChoGlbGRhcDovLy9DTj1jbGVhcnBhc3MtbGFiLENOPUFJQSxDTj1QdWJs
aWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u
LERDPWNsZWFycGFzcy1sYWIsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmpl
Y3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MGsGCCsGAQUFBzAChl9odHRw
Oi8vYWlyd2F2ZS1sYWIuY2xlYXJwYXNzLWxhYi5jb20vQ2VydEVucm9sbC9haXJ3
YXZlLWxhYi5jbGVhcnBhc3MtbGFiLmNvbV9jbGVhcnBhc3MtbGFiLmNydDAhBgkr
BgEEAYI3FAIEFB4SAFcAZQBiAFMAZQByAHYAZQByMAwGA1UdEwEB/wQCMAAwCwYD
VR0PBAQDAgWgMA0GCSqGSIb3DQEBBQUAA4IBAQC3ovZB+I1JNUARAiV0FpptHqOW
+uuzElZ2iyMG/LeDEX4g/PCoyAXW4AXT9jaQ0lnEvjFZG4k6nCt3h8WxQMvkQqog
bAwIIoN5llNlQhX7aOUGp4FAYALFSPDeRA8KgeFcjdI/ONCgDqtV7PgwjDJIEmvZ
Z5ZRRo17YtYe8OwyeN7Y/09Udnzby45jPDL3TRz94SfEWr2bL+HPmBTS5yXnKOZy
SkSe9DyGeU3nI74dZvDyTDNQcMAQCmcicjH1swqDk/0nYr15NyUIrAZEHJ14PJoL
htaHs3hcYaiI2LTgXhTkoVv8J7Cr+83b85h34sYi3gfD7qeMxOt+CrzzRZm0
-----END CERTIFICATE-----
Save this combination as a .PEM file and then import. We would be able to see the Certificate chain now.