Security

Reply
Occasional Contributor I
Posts: 7
Registered: ‎04-25-2014

Clearpass Onboard : iOS devices provisionning

Hi,

 

For my first post on Airheads Community, I'd like to submit BYOD issue when provisionning iOS devices.

 

My goal is to Onboard/Provision personal devices, using a PEAP/MSCHAPv2 authentication. I've configured two SSID, and my Clearpass configuration seems OK, since it's working for my Windows and android devices.

 

The issue occur when I try to provision an iPad:

 

- Installation of root CA : OK

- Onboarding : OK, I can see my device on Clearpass Onboard

- Provisionning : Failed. Connection to my corporate SSID failed. Looking in access tracker, It seems that my Provisionning service is not applied.

 

Have you any idea that could help me ?

 

Thank you,

 

Maxime

Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Clearpass Onboard : iOS devices provisionning

The most common issue is the device is not trusting the https cert. You need to have a publicly signed cert on the https. If you are just testing you can disable https on both the controller and CPPM. Then in your redirect use http://
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I
Posts: 7
Registered: ‎04-25-2014

Re: Clearpass Onboard : iOS devices provisionning

[ Edited ]

Thanks Troy,

 

I've unchecked "Require HTTPS for guest access" in CPPM and I use an http url for my BYOD captive portal, but it doesn't work.

 

Now, I think I've a problem with one of my Clearpass Onboard Service.

I've configured the following rule : 

1.Radius:IETFUser-NameCONTAINSOnboardDevice

This rule is firing with my windows and android device when I connect to my corporate SSID with unique id, but not with my Ipad.

 

Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Clearpass Onboard : iOS devices provisionning

What are you using for wireless?

If you can onboard other devices its most likely not a service issue.

Do you also have the checkbox checked in the controllers captive portal. Samplace where you put in the address.

Post some screen shots of access tracker and you can also look in the application log in the guest side.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I
Posts: 7
Registered: ‎04-25-2014

Re: Clearpass Onboard : iOS devices provisionning

I'm using Aruba APs and controllers (3600)

 

I also checked the "use http" checkbox.

 

Now, looking in the controller log, I can see EAP challenge failed when trying to connect to my corporate SSID. So I have a few questions :

 

- Is it possible to use unique id and PEAP with iOS devices ?

- Should I use EAP-TLS instead ?

Occasional Contributor I
Posts: 7
Registered: ‎04-25-2014

Clearpass Onboard : iOS devices provisionning

I had a phone call with TAC, they say that unless I configure a commercial certificate, it won't work.

That seems strange, because I thought that manually installing Root CA and desactivate https should work.

 

I've tried to provision a WPA2-PSK SSID and it's working like a charm. But when I provision a 802.1X SSID (tried PEAP and EAP-TLS), it doesn't work. And the strange part is that I didn't see any log in Access Tracker for the authentication service.

Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Clearpass Onboard : iOS devices provisionning

Like I was talking about you can provision with out a Public cert if you have the following done on CPPM and the controller.

 

You wont see any auths happening on a PSK network because the client will disconnect and then reconnect with the same SSID. IOS devices have an issue where it wont move to a provisioned SSID like a windows or android device will. 

 

Also if you want the device to disconnect and reconnect you need to have the Send IP checkmarked in the controller.

 

Here is a how-to.

 

https://ase.arubanetworks.com/solutions/id/34

 

Screen Shot 2014-10-16 at 2.11.15 AM.png

 

Screen Shot 2014-10-16 at 2.11.52 AM.png

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I
Posts: 7
Registered: ‎04-25-2014

Re: Clearpass Onboard : iOS devices provisionning

Thanks a lot for the how-to !

 

It's almost working now, I think that the "Add IP Switch IP..." was the key.

I've just a small issue on iOS devices, I need to switch the WiFi off/on to get the correct profile.

 

Again, thank you for your help !

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: