Security

                               ONBOARD USING DUAL SSID

Overview: 

This topic is about Device onboard using two SSID. In this scenario I’ll use two SSID. At first user device will connect to one SSID, which is open network, after that user will redirect to CPPM’s captive portal page. When user complete the captive portal authentication, onboard will start to working. It will configure the user device and after completion user will automatically switch to 2nd SSID.

SSID used here

1. BYOD-A [Open network ]
2. BYOD-B [Secured with WPA2-AES]

Flowchart:

 

 

• Log in to the CPPM and go to Home » Onboard + Workspace » Onboard/MDM Configuration » Network Settings

Put the name of the 2nd ssid & select ‘automatically join network’ 

 

 

• Now go to next tab and configure as per your requirement.

 

 

• Open the windows tab

 

1. Follow this path Home » Onboard + Workspace » Deployment and Provisioning » Provisioning Settings

Careful about page name, because this name will be your captive portal log in page.

In here it is device provisioning, so the redirection page is 

 

 

 

• Go to Home » Onboard + Workspace » Deployment and Provisioning » Configuration Profiles and choose you Provisioning profile. 

 

 

• Open Configuration » Enforcement » Profiles »   Here I’ll configure one enforcement profile.

 

 

• Now go to Configuration » Enforcement » Policies » to configure an enforcement policy & configure two authentication method, PAP & EAP-TLS.

 

 

 

• Switch to Configuration » Identity » Local Users and assign the same role as assign in policy.

 

 

• Open Configuration » Services »  and configure a service 

• Here I added two SSID in service , so that the 2nd service is not required.
• Check the configuration of rest of the service

 

 

 

• Here I’m using only two authentication method because 1st time due to captive portal user will use PAP, & in meantime when using quickconnect app it’ll complete another authentication using PAP, after that it will use EAP-TLS to complete onboarding.

 

 

 

• Now log in to controller to configure WLAN profile. 

 

 

 

 

 

 

                                                                  OUTPUT

 

At first I’ll connect to BYOD-A [open network]. You can see here my credential is correct so it gives me the quickconnect download link.

 

 

Here it’s showing me warning that, you may attempt to connect to the secure network BYOD-B, that’s what I want.

 

 

 

 

NOTE:  This tutorial may have some flaws.

              There are probably alternative or better ways of achieving this.

 

 

                           THANK YOU

How would you do this using Instant? I followed all the steps for CPPM and created 2 SSID on my IAP. I'm struggling with the roles I need to assign on the IAP for the different SSID.

 

Is it correct to assume my guest SSID has a pre-auth role of guest_logon and default role of guest and my secure SSID just has an authenticated role?

This solution is with a single SSID but should give an idea of what you need to do
https://ase.arubanetworks.com/solutions/id/35

Steps:

* When the user connects to the Guest SSID it will redirected to the Guest Captive portal page (Pre-Auth role)
* You will need to place a link in the Guest Captive Portal page for users to reach the onboarding page
* The user will go through the onboarding process (Will be using the onboarding services)
* once completed the user will have configured the EAP-TLS SSID and should hit the 802.1x service and during this process you can return a user-role back to the VC
*

If you’re using your guest SSID for Onboarding as well, the only change you’ll have to make is to add the URLs for the Google Play store for Android onboarding.