Security

Reply
Contributor II
Posts: 58
Registered: ‎08-19-2013

Switching between 2 SSID in clearpass onboarding

Hello Guys,

 

We've configured clearpass onboard in our network. So, an employee can bring his own mobile, onboard his mobile and use it.

 

But the requirement is we have 2 SSID (say SSID A and SSID B). So, the user connects to 'SSID A', onboard his mobile, install the certifiicates from clearpass server, and he should be re-directed to the second SSID 'SSID B'.

 

At the end, the user will be connected to 'SSID B'. He should be no longer connected to 'SSID A'

 

How to accomplish this setup? Please advise.

 

Thanks,

Bharani..

 

 

Aruba
Posts: 760
Registered: ‎05-31-2007

Re: Switching between 2 SSID in clearpass onboarding

In the Onboard profile that you are pushing to the employee devices, specify "SSID B" and the relevant security parameters for auth and encryption you would like to use.  

 

At the completion of the onboarding process, the device (with the newly installed profile from CP Onboard) will switch over to SSID-B as it's prefered network.

 

So that leaves, what does SSID-A look like?   SSID A is a typically an open SSID.   It has a captive portal that asks for credentials.  Those credentials are for people that are 'allowed' to onboard devices (it need not be everyone in your network).   CP can check against AD, and if the creds pass, then the onboarding process can be invoked while on SSID-A. 

 

JF

Contributor II
Posts: 58
Registered: ‎08-19-2013

Re: Switching between 2 SSID in clearpass onboarding

Hey,

 

Thank you for the reply. I get your point. I'll try this by tomorrow morning.

 

BTW, I've heard that iOS smart phones cannot accomplish this kind of switching between SSIDs. And only android, windows phones can do it. Is it so?

 

Thanks,

Bharani..

Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Switching between 2 SSID in clearpass onboarding

Hi,

 

In my experience the iOS devices will not automatically switch over to the secure SSID (SSID B).

The users will need to manually change over. As the final step on the Onboard the browser will tell the user that they need to do this.

 

Also keep in mind you will require a commercial certificate to Onboard the iOS devices.

 

Not sure if this is relevant or not. And I am not 100% if this necessarily pertains to the ability of the iOS devices to auto connect to the secure SSID after Onboarding. I did however find it interesting and wondered if this partially explains it.

 Allow the device to be automatically reconnected to the provisioned network
Automatic reconnect is only possible if there is a single network configured with ‘Automatically join network’,
and the controller provides both the ‘mac’ and ‘switchip’ parameters to the captive portal.
Reconnect is only supported by iOS 5+ and OS X 10.7+ (Lion or later) devices.

 This comes from ClearPass Onboard > Provisioning Settings > <Your Profile> > iOS & OSX > Under Reconnect

 

Cheers

Aruba
Posts: 760
Registered: ‎05-31-2007

Re: Switching between 2 SSID in clearpass onboarding

Good info.

 

I think the 'auto rejoin/join' network certainly looks to be correlated to what you have below.  Good documentation!

 

iOS 5, those were the days ;-)

 

JF

Contributor II
Posts: 58
Registered: ‎08-19-2013

Re: Switching between 2 SSID in clearpass onboarding

Hi guys,

I've configured for automatic reconnect for iOS devices as you've explained.

But could you please elaborate on 'the controller provides both Mac and switch ip parameters to captive portal'.. ? How to accomplish this feature?
Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Switching between 2 SSID in clearpass onboarding

For clearpass to issue the reconnect it needs to know the clients IP. In the controller you need to enable the setting add IP to redirect. Your gui might look a little different, Im running a beta version in my controller.

 

under 

 

  Security > Authentication > L3 Authentication>Captive Portal

 

 

 

screenshot_02 Sep. 30 23.07.gif

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Switching between 2 SSID in clearpass onboarding

Hi

sorry to sort of high-jack this thread but...

 

@tarnold I noticed in your screen shot under "White List" that you included "GOOGLE-PLAY".

I was just curious what the difference between putting the rule here and defining it in an "Initial Role" for an Onboard SSID?

 

Is it recommended to define it in this white list?

Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Switching between 2 SSID in clearpass onboarding

Bourne,

 

That was just a carry over from a test that I did.

 

You can do it that way, but Im not a controller expert so I dont know if its better one way or the other. I will let some of the wireless guys chime in but from the testing I did you can allow it either way.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Switching between 2 SSID in clearpass onboarding

@tarnold,

 

Thank you sir.

I will read up on it as well in the documentation. I haven't spent a huge amount of time on the controller and so do not know as much about it.

 

Always lots to learn!

 

Cheers

Search Airheads
Showing results for 
Search instead for 
Did you mean: