Security

Reply
Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

OnBoard authorization service missing Aruba-Mdps-Device-Name

I'm troubleshooting why iOS device are not onboarding correctly. Android works and hits the "OnBoard Authorization" service just fine. iOS devices seems to be missing the Aruba-Mdps-Device-Name, therefore the service classification is missed.

 

Why would we not be getting the mdps-device-name? The test device is iPhone 4 running version 6.1.2 (10B146).

Regards,

Josh
___________
ACMP, ACCP
Aruba
Posts: 113
Registered: ‎11-21-2011

Re: OnBoard authorization service missing Aruba-Mdps-Device-Name

Note that for iOS devices you should see TWO entries in Access Tracker during a device provisioning:

 

  1. The first is a pre-auth check - used to verify your credentials on the device provisioning page.  (If you get the password wrong, this is how the page works that out.)
  2. Device provisioning is then performed.  When you accept the provisioning profile, a second request is triggered - this is the actual Onboard Authorization check.
The two requests can be differentiated by the fact that the first request is only a user request and does not contain any device info (this is why there is no Aruba-Mdps-Device-Name attribute).
 
The second request has user AND device information and can be used to make more fine grained decisions about provisioning a device ("should user X be allowed to provision device Y").

 

To solve your issue, you need to define a pre-auth service that will be used for iOS devices.

Super Contributor II
Posts: 372
Registered: ‎09-05-2012

Re: OnBoard authorization service missing Aruba-Mdps-Device-Name

We ran into this issue.

amigodave is 100% correct in his explanation

 

We created a separate service just for iOS devices because in the first request you see from the iOS device during Onboarding it does not contain any of the Aruba-Mdps-* information.

 

The service we created to catch iOS's first request we used the attribute Aruba-Port-Id because it is included in all that inital request sent by the iOS devices. This allowed us to filter the service accurately. The Aruba-Port-Id references the name of the Onboarding page.

 

Then in the subsequent requests made by the iOS device (I believe there are a total of 3) it contains the Aruba-Mdps-* information and will be filtered into your other Onboard service.

 

On a side note, make sure that you have Key Type set to 2048-bit RSA - Created by server 

This can be found by loging into the CPPM (If you are using CPPM) ClearPass Onboard > Onboard > Provisioning Settings > General

 

On our CPPM this Key Type had defaulted to * - created by device which was okay for all devices except for the iOS devices.

With the Key Type set to *- created by device when an iOS device attempts to authenticate after being Onboarding it was not sending the device information from the certificate in it's request.

 

Not sure if that is relevant or not but I  just thought I would add it.

Search Airheads
Showing results for 
Search instead for 
Did you mean: