12-18-2013 04:07 PM
ArubaOS (MODEL: Aruba7210), Version 184.108.40.206
ClearPass Policy Manager 220.127.116.11896 on CP-HW-500 platform
Currently have onboarding setup and working in my customers environment so long as I have an 'allow-all' assigned to the user role that the devices are getting onboarded from.
As soon as I take away this 'allow-all' I can still onboard from android and ios, but when it comes to onboardng a macbook (running maverick) I am unable to onboard. I am able to reach the onboarding landing page, and receive the configuration profile installer. When I run the profile installer it times out and fails the install.
The traffic for the client at the controller that is going to clearpass is all on https 443 and is all being allowed. This works fine for ios as I already mentioned. I cannot see any deny's for the client at the controller firewall so am perplexed as to what I am not allowing that is causing the fail on the macbook. Putting the 'allow-all' back on the role allows me to onboard again but obviously I don't want an allow all on this role.
Anybody know what I need to allow at the firewall to allow the user to onboard other than??:
user -> clearpass -> http -> allow
user -> clearpass -> https -> allow
Any help is much appreciated.
Solved! Go to Solution.
12-18-2013 04:10 PM - edited 12-18-2013 04:12 PM
Try allowing TCP 1640 and TCP 5223. These are the ports used by Apple's SCEP and push notification services.
user any tcp 1640 permit
any user tcp 5223 permit
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
12-18-2013 07:57 PM
Hi cappalli, thanks for your quick response.
I've tried opening the ports as you have recommended which hasn't solved my issue =[
I did do some more investigating though and found that the:
user any any permit
is what is required to make it work. Still need to narrow this down to some specific ports/protocols though....
12-18-2013 09:30 PM
You should only have to allow http and https, but make sure you use both the IP and FQDN.
In my firewall I have a destination alias defined for my VIP, Server 1 and Server 2 by IP and FQDN
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
12-22-2013 02:36 PM
Hi Tarnold thanks for the response.
http and https using the IP and FQDN had already been allowed through the firewall to the clearpass servers and vip.
It turns out that the macbook is trying to reach out to Apple's APNS, which in our environment requires it to go via a proxy and receive a proxy pac. So the solution was to allow access to the proxy to receive the proxy pac. Even though the macbook still couldn't get out to the APNS it was able to receive it's proxy pac and was happy there onward.
Firewall policy that was needed (in addition to http/https to clearpass):
Hope this is able to help someone else out there! =]