Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Onboard Android - Unable to Resolve Hostname

This thread has been viewed 2 times

  • 1.  Onboard Android - Unable to Resolve Hostname

    Posted Jan 15, 2014 12:44 PM

    I'm testing the onboard process for Androids and running into a DNS error.  When attempting to load the profile, QuickConnect says "There was an error in configuring your device.  Cannot download Device credentials from Onboard server: Unable to resolve host..."  I verified with a network app on my Android that CPPM's host name is not resolvable.  This isn't an issue for things like Guest captive portal because I used a different FQDN in my captive portal that resolve to the CPPM IP.  As far as I can tell, QuickConnect is attempting to connect to the CPPM Hostname configured under Policy Manager > Administration > Server Manager > Server Configuration, which like I said is different from the FQDN I use for guest.  The hostname configured here isn't a FQDN, which I believe is part of the problem.

     

    I just wanted to confirm this before I append the domain name.  Also, any chance I'll screw up anything if I change the hostname on the fly?  Will it affected devices that have already been onboarded?  This CPPM server is the publisher.



  • 2.  RE: Onboard Android - Unable to Resolve Hostname

    EMPLOYEE
    Posted Jan 15, 2014 03:57 PM
    Do you have the landing.php in the redirect. If so try it without


  • 3.  RE: Onboard Android - Unable to Resolve Hostname

    Posted Jan 15, 2014 04:54 PM

    Sorry, I just want to make sure it's understood that the issue is with QuickConnect "Install Network Profile" step - not captive portal.

     

    QuickConnect is attemping to connect to the CPPM Hostname (which isn't fully qualified) rather than the DNS alias I setup (the alias is used in the captive portal redirect instead of the CPPM Hostname). The client can't resolve the CPPM Hostname because we don't pass a default domain scope option for the client to append to non-fully qualified name lookups.  So the client attempts to go to "CPPM-server" instead of "CPPM-server.domain.com", which fails.  The QuickConnect error message states "No address associated with hostname" so I'm pretty sure fully qualifying the Hostname of the CPPM server will resolve the issue.

     

    Sorry - long-winded explanation to basically ask "can I change the CPPM hostname without causing any issues"?



  • 4.  RE: Onboard Android - Unable to Resolve Hostname
    Best Answer

    Posted Jan 20, 2014 09:30 AM

    Resolved my issue and learned two things in the process:

     

    1. It is possible to tell the Android Onboarding client which address to use for onboarding.
      Go to: Onboard + Workspace > Deployment and Provisioining > Provisioning Settings
      Edit your provisioning settings.
      Click the Onboard Client button.
      Click the Provisioning Address drop-down to modify the URL that the client uses.

    2. You can change the hostname of the CPPM server, but you need to be aware of the following:
      A) You'll have to rejoin the CPPM server to your domain(s).

      B) If CP is your onboarding CA, your OCSP URL will change and any onboarded devices will fail to authenticate if you do an OCSP check for EAP-TLS.  You fix this, you could create a new authentication method and override the OCSP URL, stop validating OCSP, or re-onboard your devices.