Security

last person joined: 17 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

OnBoard using IOS weirdness

This thread has been viewed 0 times

  • 1.  OnBoard using IOS weirdness

    Posted Sep 12, 2014 07:32 AM

    Hello!

     

    Clearpass 6.4

    Aruba Controller 3200 - 6.1.3.4-AirGroup

     

    iPad 2 - IOS 7.0.2

     

    Scenario: OnBoarding using 2 SSID - one Open Guest, one closed EAP-TLS

    OnBoarders can be either self-registered guests or AD users.

     

    To the issues

    1. Unable to auto-switch to EAP-TLS network after provisioning.

    I'm unable to get the auto-switch to closed network to work. correct switchip and mac is in the redirect URL. I've tried removing ALL other networks on the iPad. Changing the onboard settings to a manual click to switch.. 

    No luck! Neither at Customer site nor in my lab.

     

    Should this be working? And if so - what the heck are you running and what kind of config makes this possible?

     

    2. Safari hangs during provisioing-login

    Customer complains that Safari just hangs and not doing anything when their AD users input their AD credentials in the onboard provisioning page using their iPad. I can replicate it so it happens alot. I can even type in wrong password and nothing further happens. If I try to trigger a new redirect while Safari is "busy" - I just get a page can't be located error message.

    Note that in this scenario there is NO messages in the Access Tracker that I'm even trying to log in. So it seems that Safari just halts any traffic.

     

    I then kill Safari, re-open and trigger a new redirect. This time login is succesfull and I run through the provisioning process without any problem.

     

     

    This sound familiar to anyone? **bleep** annoying ... Especially since I can't use any other browser than Safari to actually do the provisioning..



  • 2.  RE: OnBoard using IOS weirdness

    EMPLOYEE
    Posted Sep 12, 2014 10:48 AM

    That is a limitation with IOS. It will not auto switch to the a seperate SSID. The only way to do what you are trying to accomplish is to use PEAP and TLS on the secure SSID

     

    1. user connects with PEAP and gets onboarding role

    2. Onboards

    3. Controller sends COA

    4. Device will reconnect with TLS after the bounce

     

    https://ase.arubanetworks.com/solutions/id/34

     

     



  • 3.  RE: OnBoard using IOS weirdness

    Posted Nov 26, 2014 06:27 AM

    Not sure if this is just coincidence, but I've tried this several times with various IOS devices now and there is a discrepency in how this works.

     

    I've now removed the "automatic" switching to secure-SSID so there is instead a "Connect" button on the provision page.

     

    iPhone 6 with IOS 8.1.1 - is switched from open-SSID to secure-SSID using the Connect button.

    iPad Retina with IOS 8.1.1 - is NOT switched from open-SSID to secure-SSID using the Connect button.

    iPhone 5s with IOS 8.1.1 - is NOT switched from open-SSID to secure-SSID using the Connect button.

    iPad 2 with IOS 8.1 - is NOT switched from open-SSID to secure-SSID using the Connect button.

     

    Now - I'm also having trouble getting the profiles on the iPad2 after installing IOS 8.1.1. Just says "unable to install profiles. the iPad is not activated"

     

    It's above average frustrating to work with these clients...