Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Onboard : iOS Device Provisioning Failures

This thread has been viewed 6 times

  • 1.  Onboard : iOS Device Provisioning Failures

    Posted Feb 19, 2014 10:40 AM

    Hi,

     

    I doing a Clearpass POC for a end customer, he want to see the device enrollment fonctionnality for their IPad.
    I have a error for to enroll my IPad by the onboard, when i want download the profile for connect my IPad on the corp network, the Device Enrollment is not accept by the IPad.
    At the end of "onboard deploy guide" i found workaround (see below), but it's not clear for me.

    Could you explain exactly me what i must to do for step by step ?

     

    "Resolution: When using HTTPS for device provisioning, you must obtain a commercial SSL certificate.


    Self-signed SSL certificates, and SSL server certificates that have been issued by an untrusted or unknown root certificate
    authority, will cause iOS device provisioning to fail with the message “The server certificate for … is invalid”.
    A workaround for this issue is to install an appropriate root certificate on the iOS device. This root certificate must be the
    web server’s SSL certificate (if it is a self-signed certificate), or the certificate authority that issued the SSL certificate. This is
    not recommended for production deployments as it increases the complexity of deployment for users with iOS devices."

     

    Thanks

     

    Yann



  • 2.  RE: Onboard : iOS Device Provisioning Failures
    Best Answer

    EMPLOYEE
    Posted Feb 19, 2014 11:19 PM

    I you have a test environment and want to use Apple IOS device you must install the Root certificates on the mobile device before you try to onboard.

     

    I would recomend that you work with your local SE, but here are the main items

     

    1. You can disable both https on the controller and CPPM Guest side Home » Configuration » Authentication uncheck use https for Guest

     

    2. Or you can take the certificate that is on the CPPM side. Administration » Certificates » Server Certificate  

     

    3. Either use Itunes and put the cert on the device or you can just email the cert to your device and install it by

     

     

       A. opening the email.

       B. tap on the attachment and click install



  • 3.  RE: Onboard : iOS Device Provisioning Failures

    Posted Mar 24, 2014 01:35 PM

    Hi Tarnold,

     

    I try your two solution but it doesn't work ...

     

    1. You can disable both https on the controller and CPPM Guest side Home » Configuration » Authentication uncheck use https for Guest

     

    I have disable the https both the CPPM et on my IAP, now the connexion is initialise in http, but it continue to verifying the device inscription before download the connexion profil and after when I click on "installer" and type my code, I get this error message :  profile installation failure - profil not valid.

     

    2. 

    2. Or you can take the certificate that is on the CPPM side. Administration » Certificates » Server Certificate  

     

    In my Clearpass is initial configuration (it's the root certifcate), I take the https and radius certificate.

     

    3. Either use Itunes and put the cert on the device or you can just email the cert to your device and install it by

     

       A. opening the email.

       B. tap on the attachment and click install

     

    I send the cetificate by an email and i install this certificate by clicking on install, but it has not changed...

     

    Have you an idea ?

     

    Regards



  • 4.  RE: Onboard : iOS Device Provisioning Failures

    Posted Feb 26, 2014 07:22 AM

     

    In addition to what tarnold said in point 1 - on IOS make sure you use Safari when trying to enroll. Using Chrome it doesn't work at all.

     

    I don't see a reason to use a public certificate for onboarding. The onboarding process tells you to first install the trusted root CA certificate. First do that - then onboard - works like a charm.



  • 5.  RE: Onboard : iOS Device Provisioning Failures

    Posted Mar 24, 2014 01:41 PM

    Hi jsold,

     

    for your information I use only Safari on the Ipad ...

     

    I would try to show to my customer how work the Onboard with IPad, it's not the final instal, the best that I can get a trusted root in trial version for free.

     

    Regards

     

    Yann



  • 6.  RE: Onboard : iOS Device Provisioning Failures

    Posted Aug 03, 2017 01:59 AM

    Hi,

     

    I have been experiencing problems provisioning iOS devices with iOS versio 10.3.3. This is the latest version so far. I keep getting the error message as shown in the attached screenshot. Previous iOS version (10.2.1) didn't give this issue. Please help me on this.

     

    IMG_0001.PNG



  • 7.  RE: Onboard : iOS Device Provisioning Failures

    Posted Aug 03, 2017 02:11 AM
    Your certificate needs to have a resolvable hostname.


  • 8.  RE: Onboard : iOS Device Provisioning Failures

    Posted Aug 03, 2017 03:51 AM

    Hi John,

     

    Thanks for replying. I'm actually new to the Aruba interface. Would appreciate if you could guide me regarding this.



  • 9.  RE: Onboard : iOS Device Provisioning Failures

    Posted Aug 03, 2017 04:27 AM
    Ok, but I'm on vacation typing this from my phone so it will be short. I'm sure there are others who can point you to the bigger guides for this. Try looking for "aruba certificate 1on1".

    First make sure you have a dns entry for your clearpass that is resolvable on from the dns server assigned to your onboard clients.
    Then create a https certificate that corresponds with this name. If you do this for internal use make sure to rename the fqdn on the clearpass and you could do a self-signed cert from clearpass gui..