Security

Reply
Frequent Contributor I
Posts: 83
Registered: ‎09-29-2011

Onboard : iOS Device Provisioning Failures

Hi,

 

I doing a Clearpass POC for a end customer, he want to see the device enrollment fonctionnality for their IPad.
I have a error for to enroll my IPad by the onboard, when i want download the profile for connect my IPad on the corp network, the Device Enrollment is not accept by the IPad.
At the end of "onboard deploy guide" i found workaround (see below), but it's not clear for me.

Could you explain exactly me what i must to do for step by step ?

 

"Resolution: When using HTTPS for device provisioning, you must obtain a commercial SSL certificate.


Self-signed SSL certificates, and SSL server certificates that have been issued by an untrusted or unknown root certificate
authority, will cause iOS device provisioning to fail with the message “The server certificate for … is invalid”.
A workaround for this issue is to install an appropriate root certificate on the iOS device. This root certificate must be the
web server’s SSL certificate (if it is a self-signed certificate), or the certificate authority that issued the SSL certificate. This is
not recommended for production deployments as it increases the complexity of deployment for users with iOS devices."

 

Thanks

 

Yann

Aruba
Posts: 1,526
Registered: ‎06-12-2012

Re: Onboard : iOS Device Provisioning Failures

[ Edited ]

I you have a test environment and want to use Apple IOS device you must install the Root certificates on the mobile device before you try to onboard.

 

I would recomend that you work with your local SE, but here are the main items

 

1. You can disable both https on the controller and CPPM Guest side Home » Configuration » Authentication uncheck use https for Guest

 

2. Or you can take the certificate that is on the CPPM side. Administration » Certificates » Server Certificate  

 

3. Either use Itunes and put the cert on the device or you can just email the cert to your device and install it by

 

 

   A. opening the email.

   B. tap on the attachment and click install

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 470
Registered: ‎05-11-2011

Re: Onboard : iOS Device Provisioning Failures

 

In addition to what tarnold said in point 1 - on IOS make sure you use Safari when trying to enroll. Using Chrome it doesn't work at all.

 

I don't see a reason to use a public certificate for onboarding. The onboarding process tells you to first install the trusted root CA certificate. First do that - then onboard - works like a charm.

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Frequent Contributor I
Posts: 83
Registered: ‎09-29-2011

Re: Onboard : iOS Device Provisioning Failures

Hi Tarnold,

 

I try your two solution but it doesn't work ...

 

1. You can disable both https on the controller and CPPM Guest side Home » Configuration » Authentication uncheck use https for Guest

 

I have disable the https both the CPPM et on my IAP, now the connexion is initialise in http, but it continue to verifying the device inscription before download the connexion profil and after when I click on "installer" and type my code, I get this error message :  profile installation failure - profil not valid.

 

2. 

2. Or you can take the certificate that is on the CPPM side. Administration » Certificates » Server Certificate  

 

In my Clearpass is initial configuration (it's the root certifcate), I take the https and radius certificate.

 

3. Either use Itunes and put the cert on the device or you can just email the cert to your device and install it by

 

   A. opening the email.

   B. tap on the attachment and click install

 

I send the cetificate by an email and i install this certificate by clicking on install, but it has not changed...

 

Have you an idea ?

 

Regards

Frequent Contributor I
Posts: 83
Registered: ‎09-29-2011

Re: Onboard : iOS Device Provisioning Failures

Hi jsold,

 

for your information I use only Safari on the Ipad ...

 

I would try to show to my customer how work the Onboard with IPad, it's not the final instal, the best that I can get a trusted root in trial version for free.

 

Regards

 

Yann

Search Airheads
Showing results for 
Search instead for 
Did you mean: