Security

Reply
Regular Contributor II

[Tutorial] ONBOARD USING DUAL SSID

                               ONBOARD USING DUAL SSID

Overview

This topic is about Device onboard using two SSID. In this scenario I’ll use two SSID. At first user device will connect to one SSID, which is open network, after that user will redirect to CPPM’s captive portal page. When user complete the captive portal authentication, onboard will start to working. It will configure the user device and after completion user will automatically switch to 2nd SSID.

SSID used here

  1. BYOD-A [Open network ]
  2. BYOD-B [Secured with WPA2-AES]

Flowchart:

Picture1.jpg

 

 

  • Log in to the CPPM and go to Home » Onboard + Workspace » Onboard/MDM Configuration » Network Settings

Put the name of the 2nd ssid & select ‘automatically join network’ 

 

Picture2.jpg

 

  • Now go to next tab and configure as per your requirement.

Picture3.jpg

 

 

  • Open the windows tab

Picture4.jpg

 

  1. Follow this path Home » Onboard + Workspace » Deployment and Provisioning » Provisioning Settings

Careful about page name, because this name will be your captive portal log in page.

In here it is device provisioning, so the redirection page is 

 Picture5.jpg

 

 

  • Go to Home » Onboard + Workspace » Deployment and Provisioning » Configuration Profiles and choose you Provisioning profile. 

 Picture6.jpg

 

  • Open Configuration » Enforcement » Profiles »   Here I’ll configure one enforcement profile.

Picture7.jpg

 

 

  • Now go to Configuration » Enforcement » Policies » to configure an enforcement policy & configure two authentication method, PAP & EAP-TLS.

Picture8.jpg

 

 

 

  • Switch to Configuration » Identity » Local Users and assign the same role as assign in policy.

Picture9.jpg

 

 

  • Open Configuration » Services »  and configure a service 
  • Here I added two SSID in service , so that the 2nd service is not required.
  • Check the configuration of rest of the service

Picture10.jpg

 

 Picture11.jpg

 

  • Here I’m using only two authentication method because 1st time due to captive portal user will use PAP, & in meantime when using quickconnect app it’ll complete another authentication using PAP, after that it will use EAP-TLS to complete onboarding.

Picture12.jpg

 

 

Picture13.jpg

 

  • Now log in to controller to configure WLAN profile. 

Picture14.jpg

 

 

Picture15.jpg

 

 

Picture16.jpg

 

 

                                                                  OUTPUT

 

At first I’ll connect to BYOD-A [open network]. You can see here my credential is correct so it gives me the quickconnect download link.

 

Picture17.jpg

 

Here it’s showing me warning that, you may attempt to connect to the secure network BYOD-B, that’s what I want.

 

Picture18.jpg

 

Picture19.jpg

 

 

NOTE:  This tutorial may have some flaws.

              There are probably alternative or better ways of achieving this.

 

 

                           THANK YOU

Frequent Contributor I

Re: [Tutorial] ONBOARD USING DUAL SSID

 
Contributor II

Re: [Tutorial] ONBOARD USING DUAL SSID

How would you do this using Instant? I followed all the steps for CPPM and created 2 SSID on my IAP. I'm struggling with the roles I need to assign on the IAP for the different SSID.

 

Is it correct to assume my guest SSID has a pre-auth role of guest_logon and default role of guest and my secure SSID just has an authenticated role?

Re: [Tutorial] ONBOARD USING DUAL SSID

This solution is with a single SSID but should give an idea of what you need to do
https://ase.arubanetworks.com/solutions/id/35

Steps:

* When the user connects to the Guest SSID it will redirected to the Guest Captive portal page (Pre-Auth role)
* You will need to place a link in the Guest Captive Portal page for users to reach the onboarding page
* The user will go through the onboarding process (Will be using the onboarding services)
* once completed the user will have configured the EAP-TLS SSID and should hit the 802.1x service and during this process you can return a user-role back to the VC
*
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite

Re: [Tutorial] ONBOARD USING DUAL SSID

If you’re using your guest SSID for Onboarding as well, the only change you’ll have to make is to add the URLs for the Google Play store for Android onboarding.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: