AAA, NAC, Guest Access & BYOD

SIngle SSID Onboard using Aruba Controller

Aruba Employee

This Article explains about-

   i) adding the Aruba controller as NAD device.
   ii) Integrating Aruba Controller with CPPM to perform onboard provisioning.
   iii) Configuring service on CPPM to handle the Onboard request.
   iv) 
Configuring the Guest part of CPPM.

 

Environment : This Article is written  for CPPM 6.2.0 and greater.

 

Below are the detailed steps.

1: Adding Aruba Controller as NAD device on CPPM.

Navigate to Configuration > Network > Devices

Click Add Device

Add the device as shown below.

rtaImage.jpg

Make sure that we configure the same Radius Shared secret on the controller as well.
 

2: Integrate Aruba Controller  with CPPM for Onboard provisioning.


 -> Add a server group on the Controller

Navigate to  Security > Authentication > Servers

Add a new Radius Server.

rtaImage (1).jpg

Enter the IP of the CPPM or a generic name to identify the CPPM server and hit " Add"

After adding, the CPPM server will show in the list.

Click on the entry and modify the below.


Make sure that the Host field has the IP/host name of the CPPM and the Key is same as radius secret key in step 1.

-> Map this server to a server group.

Create a new Server group and add the entry of CPPM to it.

rtaImage (2).jpg

Add a RFC -3576 Server.

Navigate to "RFC 3576 Server".

rtaImage (3).jpg

The key MUST match with the radius keys in the step above.

Navigate to "Security > Authentication > L2 Authentication" and add a new dot 1 x profile.

rtaImage (4).jpg

Navigate to "Security > Authentication > Profiles" and create a new AAA profile for authentication.

rtaImage (5).jpg

Make sure that the initial role is "Logon". It is important because this role will be matched on the CPPM for device provisioning.

Map this AAA to the below groups/profiles.

MAC Authentication Server Group         default
      
802.1X Authentication                                Onboard.1x ( this is the dot1x profile created in above step)
      
802.1X Authentication Server Group      Onboard-grp ( Radius Server Group)
      
RADIUS Accounting Server Group          Onboard-grp 
( Radius Server Group)


Add a Captive Portal profile on the controller.

Navige to "Security > Authentication > L3 Authentication".

rtaImage (6).jpg

Map the correct Server group to the Captive portal Profile and add the Login page url as"http://IP_Address_Of_CPPM/guest/device_provisioning.php"

Edit the "Logon" Role.

Navige to "Security > Access Control > User Roles" and edit the "Logon" Role.

rtaImage (7).jpg

Make sure that the Firewall policies are as below.

rtaImage (8).jpg

HTTP/HTTPS connectivity should be added to CPPM server.

rtaImage (9).jpg

Add the default Captive Portal Policy also.

rtaImage (10).jpg

Scroll down this page and map this Role to the already created Captive Profile Policy.

rtaImage (11).jpg

Create a new dot1 x VAP and SSID.

Navigte to "Configuration > AP Group " and edit the AP group in which you would want to add the SSID .

Create a new Virtual AP ( VAP) profile.

rtaImage (12).jpg

Map it to specific Vlan and the AAA profiel should be the created by us for crete a new SSID as below.

rtaImage (13).jpg

This completes the configuration on the controller.

3: Create Onboard service on the CPPM.

Navigate  to  
"Configuration » Service 
Templates" and Select the Onboard Template.

rtaImage (14).jpg

After selecting, add a service with the below details.

rtaImage (15).jpg

Make sure that the SSID name exactly matches with the SSID configured on the Controller.

Once we save the settings, it will create two new services as below.

rtaImage (16).jpg

Edit the first service : Lab-Onboard Onboard Authorization

Add two new Authentication Sources as below.

rtaImage (17).jpg

 

The Second Service created is " Lab-Onboard Onboard Provisioning" is a "Aruba 802.1X Wireless"service.

    - We will need to edit the enforcement profiles in this service.


Navigate to "Configuration » Enforcement » Profiles » Edit Enforcement Profile - Lab-Onboard Onboard Pre-Provisioning" and edit the pre provisioning Policy.

The name would contain the string "
Onboard Pre-Provisioning".

Change the Attribute from "BYOD- provisioning " to "Logon".

rtaImage (18).jpg

Create a Guest user on CPPM.

Navigate to "Configuration » Identity » Guest Users" and click on " Add Guest User" to add a new guest user.

rtaImage.png

Hit Add to add the user.

This completes the configuration on CPPM.


4: Configuration Of Clear Pass Guest.

Navigate to " Home » Onboard + WorkSpace » Onboard/MDM Configuration » Network Settings"

Click on the "Example networks" and select "Edit".

rtaImage (1).png

Please configure this page as per details below or your requirements.

rtaImage (19).jpg

Make sure that the SSID field contains the exact SSID name.
 We can leave the other tabs in this page as Default.

Navigate to " Home » Onboard + WorkSpace » Deployment and Provisioning » Provisioning Settings"

and select "Provisioning Address:" as the correct interface. In this test condition we are using themanagement port.


As in this lab setup, we do not have a proper certificate installed, so we are disabling the validate certificate option.

rtaImage (2).png

All the other configuration may be left as default.

This completes the CP Guest Configuration.

Version history
Revision #:
1 of 1
Last update:
‎08-06-2014 07:52 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.