Security

Hello Guys,

 

We've configured clearpass onboard in our network. So, an employee can bring his own mobile, onboard his mobile and use it.

 

But the requirement is we have 2 SSID (say SSID A and SSID B). So, the user connects to 'SSID A', onboard his mobile, install the certifiicates from clearpass server, and he should be re-directed to the second SSID 'SSID B'.

 

At the end, the user will be connected to 'SSID B'. He should be no longer connected to 'SSID A'

 

How to accomplish this setup? Please advise.

 

Thanks,

Bharani..

 

 

In the Onboard profile that you are pushing to the employee devices, specify "SSID B" and the relevant security parameters for auth and encryption you would like to use.  

 

At the completion of the onboarding process, the device (with the newly installed profile from CP Onboard) will switch over to SSID-B as it's prefered network.

 

So that leaves, what does SSID-A look like?   SSID A is a typically an open SSID.   It has a captive portal that asks for credentials.  Those credentials are for people that are 'allowed' to onboard devices (it need not be everyone in your network).   CP can check against AD, and if the creds pass, then the onboarding process can be invoked while on SSID-A. 

 

JF

Hey,

 

Thank you for the reply. I get your point. I'll try this by tomorrow morning.

 

BTW, I've heard that iOS smart phones cannot accomplish this kind of switching between SSIDs. And only android, windows phones can do it. Is it so?

 

Thanks,

Bharani..

Hi,

 

In my experience the iOS devices will not automatically switch over to the secure SSID (SSID B).

The users will need to manually change over. As the final step on the Onboard the browser will tell the user that they need to do this.

 

Also keep in mind you will require a commercial certificate to Onboard the iOS devices.

 

Not sure if this is relevant or not. And I am not 100% if this necessarily pertains to the ability of the iOS devices to auto connect to the secure SSID after Onboarding. I did however find it interesting and wondered if this partially explains it.

 Allow the device to be automatically reconnected to the provisioned network
Automatic reconnect is only possible if there is a single network configured with ‘Automatically join network’,
and the controller provides both the ‘mac’ and ‘switchip’ parameters to the captive portal.
Reconnect is only supported by iOS 5+ and OS X 10.7+ (Lion or later) devices.

 This comes from ClearPass Onboard > Provisioning Settings > <Your Profile> > iOS & OSX > Under Reconnect

 

Cheers

Good info.

 

I think the 'auto rejoin/join' network certainly looks to be correlated to what you have below.  Good documentation!

 

iOS 5, those were the days ;-)

 

JF

Hi guys,

I've configured for automatic reconnect for iOS devices as you've explained.

But could you please elaborate on 'the controller provides both Mac and switch ip parameters to captive portal'.. ? How to accomplish this feature?

For clearpass to issue the reconnect it needs to know the clients IP. In the controller you need to enable the setting add IP to redirect. Your gui might look a little different, Im running a beta version in my controller.

 

under 

 

  Security > Authentication > L3 Authentication>Captive Portal

 

 

 

Hi

sorry to sort of high-jack this thread but...

 

@tarnold I noticed in your screen shot under "White List" that you included "GOOGLE-PLAY".

I was just curious what the difference between putting the rule here and defining it in an "Initial Role" for an Onboard SSID?

 

Is it recommended to define it in this white list?

Bourne,

 

That was just a carry over from a test that I did.

 

You can do it that way, but Im not a controller expert so I dont know if its better one way or the other. I will let some of the wireless guys chime in but from the testing I did you can allow it either way.

@tarnold,

 

Thank you sir.

I will read up on it as well in the documentation. I haven't spent a huge amount of time on the controller and so do not know as much about it.

 

Always lots to learn!

 

Cheers

Hello Troy,

 

As you've mentioned, we're using Aruba controllers and clearpass to onboard iOS, Android smart phones. Onboarding is successful.

 

But can't able to switch from one SSID to other SSID automatically in android & windows after onboarding. 

 

We've enabled "Add switch IP address in the redirection URL" in WLC as well.  

 

We've provided the information about 2nd SSID to clearpass in our network settings. Please see the attacehd image.

 

But I can see the 2nd ssid getting pushed (provisioned) to the device after onboarding. But automatic reconnection is not taking place.

 

Could you please point out where I'm getting it wrong?

 

Regards,

Bharani..

Check the applicaton log in CPGuest and see if there are any errors when the client is done onboarding.

 

 

Also you can enable debuging on the onboarding to see if the server is missing information the client to send a dis/reconnect