Security

Hello Guys,

We've experience in using CISCO WLC with Aruba Clearpass to implement onboarding. For re-direction, we normally use the enforcement policy with the re-direct url in profile as "RADIUS:Cisco Cisco-AV-Pair url-redirect=http://ipaddress-of-cppm/guest/device_provisioning.php" along with the ACL. Please see the attached image for reference.

How to implement this redirection from clearpass to aruba WLC 3600? Any screenshots of clearpass and WLC config would be helpful.

We want to push this url and acl from clearpass so that the client can install the certs..

Please guide as we're the beginners with aruba wlc.

Thanks,

Bharani..

When using an Aruba controller rather than Cisco, you would enforce the redirect in a different way.   Rather than pass the URL back as you do with Cisco, you'd pass back an Aruba-User-Role VSA.  This would place the user in a role on the controller.   Then you'd configure the role with a Captive Portal profile which would contain the redirect.   OR, if this is a dedicated SSID for onboarding you would just make the initial-role for the AAA profile one that has a captive portal profile assigned.

Here is an example:

aaa authentication captive-portal "onboard-cp-profile"
 default-role "you define a post authentication role; but doesn't usually come into play for onboarding"
 server-group "clearpass-server-group"
 redirect-pause 1
 protocol-http
 auth-protocol MSCHAPv2
 login-page "http://ipaddress-of-cppm/guest/device_provisioning.php"

user-role "onboard-redirect-role"

 captive-portal "onboard-cp-profile"

 access-list session logon-control

 access-list session captiveportal

*make sure you allow http to your clearpass server in either logon-control or captiveporal access-lists (before the redirection entries or you'll end up in a loop)

*make sure your server group for Clearpass has server rules defined to see and assign the VSA Aruba-User-Role

Hello,

Thank you for the instructions. We've configured Aruba WLC and clearpass for onboarding. We're able to onboard Android, Windows laptops successfully without any problem.

But iPhones are not able to onboard. It gets an ip address after accessing onboard SSID, clearpass pushes "captive portal redirect provisioning role" to the iPhone, and I can see this client with the assigned role in WLC also.

But still my iPhone is not able to re-direct to onboard device provisioning page or even can't ping clearpass server.

What might be causing this issue or any apple specific configurations are needed for re-direction?

Thanks,

Bharani..

The issue is likely Apple's Captive Portal Assistant casuing problems.   The resolution is to either allow iOS to talk to certain sites Apple Internet sites during the provisioning process (which changed as of iOS7) or adding /landing.php/... in the URL of the Captive Portal redirect.

1. Install the iOS Captive Network Assistant patch to ClearPass (you may have to upgrade to see it)

2. Add .../landing.php/... to your redirect URL:

http://ipaddress-of-cppm/guest/landing.php/device_provisioning.php

Hi,

My bad! I'll give it a try tomorrow and let you know. 

Also, I've an another concern. We're using CISCO WLC in our another enviroment. We are supposed to whitelist apple sites during provisioning right. So, we folowed the below CISCO's recommendation to make this work.

"Create an pre-auth ACL on the WLC that allows for the IP address that resolve from "www.appleiphonecell.com" and "captive.apple.com" FQDNs.

IMPORTANT NOTE: These IP addresses are associated with the FQDNs of "www.appleiphonecell.com" and "captive.apple.com" and are subject to change by the entities hosting those domains. If the IP addresses do change, the ACL would need to reflect that."

But my concern is these IP addresses may change frequently right. How to get all ip addresses associated with these two sites?? :(

If I get all ip addresses, it would be helpful for me. Pls advise.

Thanks,

Bharani..

Configue the controller to do DNS lookups and then you can just use the FQDNs instead of using IP's in the ACLs.