Allowing Airwatch MDM access to the Captive-Portal guest users in pre-auth role for android and BB?

Aruba Employee
Requirement:

How to allow Airwatch MDM access to the Captive-Portal guest users in pre-authentication role for Android and Blackberry devices?

 

What is Airwatch MDM?

 

Airwatch MDM is Mobile Device Management. The Airwatch is an enterprise which helps to manage and secure data traveling through the mobile devices like Laptops, Tablets, Android, iPhones, iPads etc.

 

 



Solution:

Why we need to allow access to Airwatch MDM?

 

The network administrator can force the guest users to register to Airwatch MDM before they get authenticated and access the internet. So that the network administrator could manage the guest devices through Airwatch Management tool. This can be achieved by CPPM server. To download the Airwatch MDM app and register with the Airwatch MDM server certain domains should be permitted in the captive portal pre-authentication role. This KB provides the configuration steps to allow the guest users to download the Airwatch MDM app and register with the Airwatch MDM server.

 

 



Configuration:

Below is the configuration

 

Configuration steps:

 

1. Create the following netdestinations

 

netdestination Airwatch

  name *.awagent.com

  name *.awmdm.com

  name air-watch.com

 

netdestination Google-Play

  name android.clients.google.com

  name .ggpht.com

  name gstatic.com

  name accounts.google.com

  name clients1.google.com

  name clients2.google.com

  name clients3.google.com

  name clients4.google.com

  name i.ytimg.com

  name google-analytics.com

  name .1e100.net

  name android.l.google.com

  name mtalk.google.com

  name clients.l.google.com

  name googleapis.com

  name gvt1.com

 

netdestination BlackBerry

  name *.blackberry.com

2. Now define the rules in the session acl and map it to the pre-authentication Role of the captive portal.

 

ip access-list session Airwatch_Access

  any   alias Airwatch svc-http  permit

  any   alias Airwatch svc-https  permit

 

ip access-list session Google-Play-Store

               any   alias Google-Play any permit

              

ip access-list session BlackBerry-Access

               any   alias BlackBerry any permit

3. Now map the session ACLs to captive-portal pre-authentication Role as follows

 

user-role Guest-Pre-Auth-Role

 access-list session Airwatch_Access

 access-list session Google-Play-Store

 access-list session BlackBerry-Access

 access-list session logon-control

 access-list session captiveportal

4. Now whitelist the list of domain names in the Captive Portal profle

 

aaa authentication captive-portal Airwatch-Captive-Portal-Profile

white-list Airwatch

white-list Google-Play                                                                                ------------>Netdestinations where you defined the Domains.

white-list BlackBerry

 

 



Verification

Now the user will be placed under the "Guest-Pre-Auth-Role" before the authentication. The user can now go the Google Play-Store or BlackBerry Appworld to download the Airwatch MDM and register to Airwatch Management Server.

Version history
Revision #:
2 of 2
Last update:
‎06-18-2015 05:35 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: