Security

last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Which ports does onboarding mac osx require?

This thread has been viewed 0 times

  • 1.  Which ports does onboarding mac osx require?

    Posted Dec 18, 2013 07:07 PM

    System information:

    ArubaOS (MODEL: Aruba7210), Version 6.3.1.1
    ClearPass Policy Manager 6.2.4.58896 on CP-HW-500 platform

     

    problem description:

    Currently have onboarding setup and working in my customers environment so long as I have an 'allow-all' assigned to the user role that the devices are getting onboarded from.

     

    As soon as I take away this 'allow-all' I can still onboard from android and ios, but when it comes to onboardng a macbook (running maverick) I am unable to onboard. I am able to reach the onboarding landing page, and receive the configuration profile installer. When I run the profile installer it times out and fails the install.

     

    The traffic for the client at the controller that is going to clearpass is all on https 443 and is all being allowed. This works fine for ios as I already mentioned. I cannot see any deny's for the client at the controller firewall so am perplexed as to what I am not allowing that is causing the fail on the macbook. Putting the 'allow-all' back on the role allows me to onboard again but obviously I don't want an allow all on this role.

     

    Anybody know what I need to allow at the firewall to allow the user to onboard other than??:

     

    user -> clearpass -> http -> allow

    user -> clearpass -> https -> allow

     

    Any help is much appreciated.



  • 2.  RE: Which ports does onboarding mac osx require?

    EMPLOYEE
    Posted Dec 18, 2013 07:11 PM

    Try allowing TCP 1640 and TCP 5223. These are the ports used by Apple's SCEP and push notification services.

     

     

    user    any     tcp 1640    permit

    any      user   tcp 5223    permit



  • 3.  RE: Which ports does onboarding mac osx require?

    Posted Dec 18, 2013 10:58 PM

    Hi cappalli, thanks for your quick response.

     

    I've tried opening the ports as you have recommended which hasn't solved my issue =[

     

    I did do some more investigating though and found that the:

    user   any  any  permit


    is what is required to make it work. Still need to narrow this down to some specific ports/protocols though....



  • 4.  RE: Which ports does onboarding mac osx require?

    EMPLOYEE
    Posted Dec 19, 2013 12:31 AM

     

    You should only have to allow http and https, but make sure you use both the IP and FQDN.

     

    In my firewall I have a destination alias defined for my VIP, Server 1 and Server 2 by IP and FQDN

     

    screenshot_03 Dec. 18 23.11.gif

     

    screenshot_04 Dec. 18 23.13.gif



  • 5.  RE: Which ports does onboarding mac osx require?
    Best Answer

    Posted Dec 22, 2013 05:36 PM
      |   view attached

    Hi Tarnold thanks for the response.

     

    http and https using the IP and FQDN had already been allowed through the firewall to the clearpass servers and vip.

     

    It turns out that the macbook is trying to reach out to Apple's APNS, which in our environment requires it to go via a proxy and receive a proxy pac. So the solution was to allow access to the proxy to receive the proxy pac. Even though the macbook still couldn't get out to the APNS it was able to receive it's proxy pac and was happy there onward.

     

    Firewall policy that was needed (in addition to http/https to clearpass):

    proxy scrn.PNG

    Hope this is able to help someone else out there! =]