Security

I am trying to do a BYOD- POC for one customer, My setup is like below.

AD-NPS-Clearpass-Controller-AP-Iphoneuser

AD is used for userdatabase, NPS as radius, Clear pass as proxy radius.

AD is root CA, Clear pass Intermediate CA, and TLS termination on the controller.

I was able to make it work till the point where the device is identified, going to the provisioning page, able to installa the root certificate and device is trusted, username password is verified, device certificate is generated which i can see in the certificate management in clearpass. but when i try to install the device certificate comes out with an error,

The server certificate for "https://172.16.16.42/mdps_profile.php/id/1/10" is invalid , When I go to the page https://172.16.16.42/mdps_profile.php/id/1/10 i get the error as follows and attached.

I am thinking that i am doing something wrong in the provisioning setting------Profile id , How to set this ? 

currently it is : 

Can some one guide me from here ? 



It appears from the description of your error message that you are attempting to redirect to the BYOD provisioning portal using HTTPS. For the iPhone to accept the download of the provisioning profile from the Onboard server using HTTPS, a trusted server certificate must be installed on the Onboard web server. Alternatively, if you are provisioing these devices over an existing SSID that has layer 2 encryption (WPA-PSK, 802.1x etc) then there is not as strong a need for HTTPS and you could consider redirecting from your controller using HTTP.

A couple of other things to consider would be perforning EAP TLS termination on ClearPass Policy Manager as this will support more complex PKI hierarchies (such as those predictated by iOS 5) than will be eaasily configured on the controller itself.

Look forward to hearing how the rest of the PoC goes.

Hi,

I am using clearpass guest 3.9 with out the cppm. I am surprised where i can change this setting as per your sugession.

I am attaching my provisioning page. I am eager to complete this as this is the last step. 

Best regards,

Aji N C

If you are having clients redirected from a captive portal profile on an Aruba controller, you want to change the URL to use the hostname that the SSL certificate on the ClearPass Guest is issued to. DNS resolution needs to work for this as well.

So if your SSL certificate says: byod.domain.com, then you want to redirect clients to: https://byod.domain.com/landing.php/device_provisioning.php

Note the landing.php in the middle of that URL to handle Apple's CNA requests for iOS and OSX 10.7 devices

If you have a 3rd party SSL certificate which is trusted by the client devices, then you are done.

If your web server SSL certificate in CPG is issued by Onboard, you will get a certificate error on redirect. However, once you start the provisioning process (after downloading the root cert in step 1), it will work.

Aji N C, 

did you ever get this working?

To back up what Cam said. On controller in your CP profile - check the "use HTTP for authentication". Then the redirect will not use HTTPS towards Clearpass Guest.

Also - EAP termination on Controller stopped working for me, so I now do that on Clearpass Guest server. Just remember to change the Authentication Method to "No authorization - authenticate only" in the Authentication Server that is created when you do this.