04-03-2013 07:00 AM
I'm troubleshooting why iOS device are not onboarding correctly. Android works and hits the "OnBoard Authorization" service just fine. iOS devices seems to be missing the Aruba-Mdps-Device-Name, therefore the service classification is missed.
Why would we not be getting the mdps-device-name? The test device is iPhone 4 running version 6.1.2 (10B146).
Solved! Go to Solution.
04-03-2013 11:45 AM
Note that for iOS devices you should see TWO entries in Access Tracker during a device provisioning:
- The first is a pre-auth check - used to verify your credentials on the device provisioning page. (If you get the password wrong, this is how the page works that out.)
- Device provisioning is then performed. When you accept the provisioning profile, a second request is triggered - this is the actual Onboard Authorization check.
To solve your issue, you need to define a pre-auth service that will be used for iOS devices.
04-04-2013 04:12 AM
We ran into this issue.
amigodave is 100% correct in his explanation
We created a separate service just for iOS devices because in the first request you see from the iOS device during Onboarding it does not contain any of the Aruba-Mdps-* information.
The service we created to catch iOS's first request we used the attribute Aruba-Port-Id because it is included in all that inital request sent by the iOS devices. This allowed us to filter the service accurately. The Aruba-Port-Id references the name of the Onboarding page.
Then in the subsequent requests made by the iOS device (I believe there are a total of 3) it contains the Aruba-Mdps-* information and will be filtered into your other Onboard service.
On a side note, make sure that you have Key Type set to 2048-bit RSA - Created by server
This can be found by loging into the CPPM (If you are using CPPM) ClearPass Onboard > Onboard > Provisioning Settings > General
On our CPPM this Key Type had defaulted to * - created by device which was okay for all devices except for the iOS devices.
With the Key Type set to *- created by device when an iOS device attempts to authenticate after being Onboarding it was not sending the device information from the certificate in it's request.
Not sure if that is relevant or not but I just thought I would add it.