07-15-2012 11:51 PM
I am trying to do a BYOD- POC for one customer, My setup is like below.
AD is used for userdatabase, NPS as radius, Clear pass as proxy radius.
AD is root CA, Clear pass Intermediate CA, and TLS termination on the controller.
I was able to make it work till the point where the device is identified, going to the provisioning page, able to installa the root certificate and device is trusted, username password is verified, device certificate is generated which i can see in the certificate management in clearpass. but when i try to install the device certificate comes out with an error,
I am thinking that i am doing something wrong in the provisioning setting------Profile id , How to set this ?
currently it is :
Can some one guide me from here ?
You are not authorized to download this profile.
07-16-2012 07:18 AM
It appears from the description of your error message that you are attempting to redirect to the BYOD provisioning portal using HTTPS. For the iPhone to accept the download of the provisioning profile from the Onboard server using HTTPS, a trusted server certificate must be installed on the Onboard web server. Alternatively, if you are provisioing these devices over an existing SSID that has layer 2 encryption (WPA-PSK, 802.1x etc) then there is not as strong a need for HTTPS and you could consider redirecting from your controller using HTTP.
A couple of other things to consider would be perforning EAP TLS termination on ClearPass Policy Manager as this will support more complex PKI hierarchies (such as those predictated by iOS 5) than will be eaasily configured on the controller itself.
Look forward to hearing how the rest of the PoC goes.
07-16-2012 07:55 AM
I am using clearpass guest 3.9 with out the cppm. I am surprised where i can change this setting as per your sugession.
I am attaching my provisioning page. I am eager to complete this as this is the last step.
Aji N C
07-16-2012 11:54 AM
If you are having clients redirected from a captive portal profile on an Aruba controller, you want to change the URL to use the hostname that the SSL certificate on the ClearPass Guest is issued to. DNS resolution needs to work for this as well.
So if your SSL certificate says: byod.domain.com, then you want to redirect clients to: https://byod.domain.com/landing.php/device_provisi
Note the landing.php in the middle of that URL to handle Apple's CNA requests for iOS and OSX 10.7 devices
If you have a 3rd party SSL certificate which is trusted by the client devices, then you are done.
If your web server SSL certificate in CPG is issued by Onboard, you will get a certificate error on redirect. However, once you start the provisioning process (after downloading the root cert in step 1), it will work.
08-09-2012 01:16 AM
Aji N C,
did you ever get this working?
To back up what Cam said. On controller in your CP profile - check the "use HTTP for authentication". Then the redirect will not use HTTPS towards Clearpass Guest.
Also - EAP termination on Controller stopped working for me, so I now do that on Clearpass Guest server. Just remember to change the Authentication Method to "No authorization - authenticate only" in the Authentication Server that is created when you do this.
-ACMX #316 :: ACCP-
Intelecom - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!