Security

Reply
MVP
Posts: 360
Registered: ‎05-09-2013

OnBoard Failing for Macbook Laptops

Customer wanted to OnBoard company owned devices to do TLS authentication. I have ClearPass and the IAP cluster configured. OnBoard works successfully on Windows laptops, we have it working on 1 Macbook (took 4 hours of trying and didn't really change anything). 

 

Device connects to SSID-Secure (WPA2-Enterprise against AD) enters credentials, then put in pre-provisioning role (OnBoard captive portal), user logs in (against AD) and follows OnBoarding steps. 

 

When it tries to install the certificate we receive "Cannot decrypt encrypted profile" and it does not connect. 

 

I have debugging turned on in the OnBoard plugin, and the application logs do not show anything too strange, except a few re-sends of the phases. 

 

Any ideas why this may be happening? I'm close to calling TAC, but thought I would try this first.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: OnBoard Failing for Macbook Laptops

This is while you trying to install the profile ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 360
Registered: ‎05-09-2013

Re: OnBoard Failing for Macbook Laptops

Correct, we receive that error while installing the profile.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: OnBoard Failing for Macbook Laptops

Have you tried disabling https and instead using HTTP ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: OnBoard Failing for Macbook Laptops

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/CPPM-and-Onboard-Apple-device-issues/td-p/65828
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 360
Registered: ‎05-09-2013

Re: OnBoard Failing for Macbook Laptops

Testing now, will update shortly.

 

Thanks!


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: OnBoard Failing for Macbook Laptops

Do you have a publicly signed web server certificate?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 360
Registered: ‎05-09-2013

Re: OnBoard Failing for Macbook Laptops

Customer purchased a SSL cert from DigiCert that we installed for RADIUS authentication and I am using that for the OnBoard certificate as well.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
MVP
Posts: 360
Registered: ‎05-09-2013

Re: OnBoard Failing for Macbook Laptops

So it looks like with HTTP, we were able to install the profiles successfully. We had to manually disconnect and reconnect for the TLS authentication to succeed. We are going to test a few more devices just to verify.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: OnBoard Failing for Macbook Laptops

Not sure how you can fix that with the an IAP but in the controller side of things , if you include the IP address of the controller (captive portal) it allows you do that.

 

2014-12-17 16_36_15-L3 Authentication.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: