Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

OnBoard authorization service missing Aruba-Mdps-Device-Name

This thread has been viewed 3 times

  • 1.  OnBoard authorization service missing Aruba-Mdps-Device-Name

    Posted Apr 03, 2013 10:00 AM

    I'm troubleshooting why iOS device are not onboarding correctly. Android works and hits the "OnBoard Authorization" service just fine. iOS devices seems to be missing the Aruba-Mdps-Device-Name, therefore the service classification is missed.

     

    Why would we not be getting the mdps-device-name? The test device is iPhone 4 running version 6.1.2 (10B146).



  • 2.  RE: OnBoard authorization service missing Aruba-Mdps-Device-Name
    Best Answer

    Posted Apr 03, 2013 02:46 PM

    Note that for iOS devices you should see TWO entries in Access Tracker during a device provisioning:

     

    1. The first is a pre-auth check - used to verify your credentials on the device provisioning page.  (If you get the password wrong, this is how the page works that out.)
    2. Device provisioning is then performed.  When you accept the provisioning profile, a second request is triggered - this is the actual Onboard Authorization check.
    The two requests can be differentiated by the fact that the first request is only a user request and does not contain any device info (this is why there is no Aruba-Mdps-Device-Name attribute).
     
    The second request has user AND device information and can be used to make more fine grained decisions about provisioning a device ("should user X be allowed to provision device Y").

     

    To solve your issue, you need to define a pre-auth service that will be used for iOS devices.



  • 3.  RE: OnBoard authorization service missing Aruba-Mdps-Device-Name

    Posted Apr 04, 2013 07:12 AM

    We ran into this issue.

    amigodave is 100% correct in his explanation

     

    We created a separate service just for iOS devices because in the first request you see from the iOS device during Onboarding it does not contain any of the Aruba-Mdps-* information.

     

    The service we created to catch iOS's first request we used the attribute Aruba-Port-Id because it is included in all that inital request sent by the iOS devices. This allowed us to filter the service accurately. The Aruba-Port-Id references the name of the Onboarding page.

     

    Then in the subsequent requests made by the iOS device (I believe there are a total of 3) it contains the Aruba-Mdps-* information and will be filtered into your other Onboard service.

     

    On a side note, make sure that you have Key Type set to 2048-bit RSA - Created by server 

    This can be found by loging into the CPPM (If you are using CPPM) ClearPass Onboard > Onboard > Provisioning Settings > General

     

    On our CPPM this Key Type had defaulted to * - created by device which was okay for all devices except for the iOS devices.

    With the Key Type set to *- created by device when an iOS device attempts to authenticate after being Onboarding it was not sending the device information from the certificate in it's request.

     

    Not sure if that is relevant or not but I  just thought I would add it.