06-21-2014 02:24 AM
This is my first time attempting to do onboarding using clearpass. Quite lost how I should actually start.
I went thru the onboarding deployment guide. It taught the steps to create the certs and configure the provisioning settings. I am using the clearpass with aruba controllers to do 802.1x and ma authentication.
Is there any tutorials or guide that show the whole steps/process from what I should configure on the policy manager and onboard?
1) what should I configure on the policy manager such that it detects that it is a BYOD device and directs the user to a login page to do onboarding. Do I need to enable profiling? Will I need to return multiple services and what kind of enforcement profiles and roles/attributes should I be returning?
2) I have created a few ad groups(a group that allows user to onboard multiple devices and a group that allows only 1 onboarding of 1 device)
3) should I be creating a role that restrict why byod devices can access after successful provisioning)?
Any documents that can guide/teach me would be greatly appreciated.
I have gone thru the policy manager guide, the onboard deployment guide .
Thanks in advance.
Solved! Go to Solution.
06-21-2014 03:35 AM
Onboarding and ClearPass Policy Manager itself have many options and many ways to configure it. The important thing is to know what you need it for, form a business policy around it, and then you will have a concrete direction. In general, Onboard is designed to give unique credentials to devices like smartphones where 802.1x would only have them using a regular username and password. Later, if the user leaves the company, you can disable their AD account and none of their BYOD devices will work. If they lose a BYOD device the individual device can also be disabled.
With that being said, what environment do you have and what is your goal?
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
06-21-2014 07:44 AM
thanks for your reply.
I have a ssid which corporate laptops will be using for 802.1x authentication. Should users use their android/ios/macbook devices to connect, they should be directed to a provisioning page to do onboarding. Once onboarded, those devices will have limited access to corporate networks. Those devices will be managed by mobile iron once onboarded.
I have configured the services for the corporate laptop 802.1x authentication with role assignment. Should I be using the same service to determine if it is a byod device? How do I configure the policy manager to determine that it is a BYOD device and direct it to the captive portal? Do I need to enable the profiler for the policy manager to categorise the devices?
06-21-2014 07:52 AM
Are these corporate devices Windows devices that will be doing machine authentication to your domain?
06-21-2014 08:08 AM
The corporate devices are windows machine that will be doing machine and user authentications. The user authentication is working at the moment for these windows devices. Can't test machine authentication as the AD is not ready.
The confusing part are those non-corporate devices like iPads/android tablets/MacBook etc. how do I configure the clear pass to detect them and direct them to the onboarding page?
06-21-2014 08:19 AM - edited 06-21-2014 08:21 AM
First: Add ClearPass as IP Helpers under the Wireless VLANs, this will allow you to profile and get device OS information
Second: Add Endpoint Repository as an Authorization Source
Third: Add device Category and OS Family as "Roles"
Fourth: In your enforcement policy use these to redirect users to the onboard page:
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
06-21-2014 08:28 AM
Here's the basic you need in your enforcement profile:
You can use this as a baseline and then add more granular context with AD groups, etc.
06-21-2014 08:54 AM
Thanks for spending your Saturday helping a noob like me.
I understand slightly now.
The end profiler is needed to categorize the devices.
So I should just add the endpoint repository as an authorization source to the my existing 802.1x service?
The device_category and device_family can be used as as a condition. The enforcement policy will determine that if it is a "smartdevice" I should redirect the user to the provisioning page. For my case, I should check whether the user is authenticated and another condition that user is eligible to do byod onboarding based on the ad group the use ID is in.
I dun have the clear pass with me now. Is the enforcement profile "home onboard redirect role" an enforcement profile template or was it created manually? What was set for that profile if it was created manually? Was Tim's enforcement profile what I should be setting if the profile was created manually?
Which step will cause the byod device to be redirected to the provisioning page?
Can I know if there are any materials if I should be referring to do learn more about the setup?
06-21-2014 09:04 AM
I usually always add the endpoint repository as an authorization source.
The ONBOARD-ENROLL enforcement policy just returns that role to the controller. On the controller you'd need to create a new user-role with the same name and attach a captive portal profile with the URL of the the onboard enrollment page.
You'll want to check for Authentication:OuterMethod = EAP-PEAP and Authorization:AD:Groups EQUALS Onboard-Group-Name and then return the ONBOARD-ENROLL role to the controller. This just says if you're using username and password to authentication (instead of a certificate) and you're a member of the approved group, then send you to the onboard enrollment page.
I created these profiles manually. You can also check out https://ase.arubanetworks.com. It's a wizard based engine that can create controller configurations based on your ClearPass requirements.