Security

Hi.

I am implementing a ClearPass Onboard in a Hospital who owns Aruba 205 IAPs and HPE 460 APs.  ClearPass Onboard is working fine with Aruba Instant APs but I am having  problems with the HPE side. They have an HPE Unified Wireless Controllers and about 200 APs. The problem is happening during the onboarding process of android devices.

I setup some portal free rules to allow users connected to the onboard SSID to download de QuickConnec from Play Google Play store. I have tried the usual rules showed below but its not working.

portal user-url *.ggpht.com free
portal user-url android.clients.google.com free
portal user-url *.play.googleapis.com free
portal user-url www.googleapis.com free

portal user-url *.gvt1.com

portal free-rule 10 source ip any destination ip 192.1.0.40 mask 255.255.255.255

portal free-rule 11 source ip any destination ip 192.131.0.0 mask 255.255.255.0

portal free-rule 12 source ip any destination ip 192.2.1.0 mask 255.255.255.0

portal free-rule 13 source ip 192.131.0.0 mask 255.255.255.0 destination ip 172.217.0.0 mask 255.255.0.0

where:

192.1.0.40 is customer's DNS address
192.2.1.0 is the subnet from CPPM Subnet
192.131.0.0 /24 is Onboarding Subnet
172.217.0.0 /16 is one of the google domain subnets

I have associated these rules to my Interface Vlan 131 

interface Vlan-interface131
description Onboard
ip address 192.131.0.10 255.255.255.0
portal server CPPM2 method direct
portal domain cppm
portal url-param include user-url

I have also tried the 

After connecting to the Onboarding SSID it opens the Onboard Portal and after authenticating with AD credenciasl it prompts for the QuickConnect installs but can't download it.

Just to confirm that problem was caused by Unified fireeall I added a portal rule allowing subnet 192.131.0.0 /24 to any  and QuickConnect was download without any problem

Does anyone have a sucessfull implemention of ClearPass Onboard with HPE Unified controllers that can be shared with me ?

I am not having problems onboarding Windows devices.

I am attching a screenshow showing where the downloading process stops.

It is missing some google playstore to be allowed on the Controller.

Any ideas ?

Thanks.

Luis Rodrigues

(HPE/Aruba Partner Sâo Paulo Brazil)

Tim. I will add the ones that is missing.

Thanks a lot !!

Luis

Hi Tim, I've added the rules, but I'm still having trouble downloading QuickConnect from Google Play.

I have debugged the controller portal and checked all the subnets / urls used to download QuickConnect.

I added each of them individually and even then I did not succeed.

In the past, I have had some similar problems with this controller using IMC UAM software because of bug. I think again it's the same problem

We are negotiating with them an update to a newer version; Currently they are using the 5.20p41 code and the latest code is 5.20p63 !!!

The way the 20G controller works with the portal firewall is different from Aruba. I can't , at least with the current version, impose a rule to force the portal as we have in Aruba. Depending on the URLs or subnets configured on the free rules, the portal is ignored and the Onboard process does not work.

I'm going to run new tests with updated code to see if I can fix this.

If I can I will share it here with you.

If anyone else here at Airheads has already solved this please share with me !!

Thanks 

Luis