Security

Hi, I'm needing to do the following and was wondering if there is a configuraiton guide out there that may help provide a step-by-step (I know there are many variables, but an overall view would be nice):

 

* Create One SSID that allows corporate users to go to one VLAN, and BYOD devices to go to another.

*The BYOD devices would go to the onboard portal and be provisioned. Once they are, they will be allowed on the specified VLAN with only Internet connection

 

There are 3 major pieces (Controller, ClearPass, and Onboard) that need to be configured. I have the major pieces here and there configured (some how), but need a step by step/configuration guide to help me piece it together. Any help would be great. Sorry if this is a vague description. I can provide more info if needed. Thanks!

We're working on one for the second half of this year.

Do you have any specific questions about what you have so far?

Also, for security reasons, you may want to do the Onboard provisioning portion on your guest network. The user will then connect to your 802.1X SSID after provisioning.

Thanks Tim for the quick reply!

 

This was the only complete guide I could come by, but doesn't appear to be working (the Onboard template creates 3 services for example): 

 

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/SIngle-SSID-Onboard-using-Aruba-Controller/ta-p/192371

 

 

Anyway, I think I'm not fully understanding the services needed and how the controller is pointing to CPPM for authentication. Becuase I know so little about Aruab/Controller/CPPM/Onboard/WiFi in general, it probably will be something I need to mess around with until  I see how things work.

 

As for the multiple SSID's, is it very difficult to do it off the one? I ask as I'm being told to do it off of one as the previous engineer setup several other SSID's and they don't want another.

 

Currently, we have a "Corp" SSID. They want Onboarding to happen off this. Regular Corp devices will connect to the same SSID and be on one VLAN. And BYOD devices will get onboarded and placed on a separate VLAN on the same SSID. If it is impossible or too difficult, I'll go back and tell them that it's not feasible to do this. 

Thanks again Tim for your help!

You can most definitely do single SSID onboarding, just be sure to take a look at the potential man-in-the-middle risk with using PEAPv0/EAP-MSCHAPv2 on an unconfigured device. The more secure route is to use dual SSID onboard, but you don't necessarily have to set up an additional SSID. Most environments have a guest network and you can just use that.

 

Can you describe what's not working after using the template? For single-SSID onboarding, the flow is essentially:

- User connects via username/password

- ClearPass detects this by looking at the OuterMethod and seeing that it is not EAP-TLS and returns an Onboard enrollement role to the controller which is essentially a user-role that redirects traffic to ClearPass with a captive portal profile.

- After the user completes the Onboard process, they disconnect and reconnect and they're now in their final role.

 

(That's a very high level, generalized explanation of it.)

 

 

Awesome information! Thanks!

So on our Guest SSID we currently have a captive portal. Would it have to be setup so that all users go to the same welcome page and then splinter off to the various pages for guest access and onboarding? Or would we be able to have all users hit different landing pages depending on what access they are trying to gain?

I think authentication was failing on the first service profile. I'm trying to authenticate users via AD. Have it setup so that authentication source is one of our AD servers. Anyway, I'm not at the configs right now, but once I go over your overview after being at the configs, I'll have a better understanding of the flow. Thanks again!

Tim, so you're saying that the official Aruba recommended deployment for Onboard is two SSID setup due to this security issue? Can you point to more data about this? I've just gotten Aruba auto sign-on to work for single-ssid onboarding and was about to change several installations for this to work ..

We support both. You should evaluate the potential security concerns with using legacy EAP methods like PEAPv0 and EAP-TTLS before using them.