Security

Reply
Contributor I
Posts: 32
Registered: ‎02-22-2011

iPod POS EAP TLS to IAP with ClearPass OnBoard Certificate

I'm happy to report that, with a lot of help, I was able to get a basic framework in place and working yesterday for our new Mobile POS effort to connect to a store's IAP. We'll be onboarding these iPod units with ClearPass OnBoard, downloading unique cert per device as well as network settings to enforce the use of EAP TLS. Then with the same SSID the device will auto-connect with a different role on the IAP.

 

Couple things I still need to work on:

1. Why isn't forced redirect working for the onboarding role specified on the IAP (ClearPass is handing it back to IAP correctly)?

2. Need to set up API account on AirWatch MDM and configure CPPM to point to it, then lock down the authentication to require the device to be enrolled in the MDM.

3. Lock down firewall rules on the IAP for the onboarding and mobile-pos roles. If you have a captive portal enforcement redirecting to an external site, do you have to allow traffic to that site? Or is it inferred automatically that traffic is allowed? 

 

What am I forgetting? Any hints/tips/tricks? Thanks to @sethfiermonti and others for the help!

 

Swack

Twitter: @swackhap
Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: iPod POS EAP TLS to IAP with ClearPass OnBoard Certificate


swackhap wrote:

I'm happy to report that, with a lot of help, I was able to get a basic framework in place and working yesterday for our new Mobile POS effort to connect to a store's IAP. We'll be onboarding these iPod units with ClearPass OnBoard, downloading unique cert per device as well as network settings to enforce the use of EAP TLS. Then with the same SSID the device will auto-connect with a different role on the IAP.

 

Couple things I still need to work on:

1. Why isn't forced redirect working for the onboarding role specified on the IAP (ClearPass is handing it back to IAP correctly)?

 

Are you using http or https?

 

2. Need to set up API account on AirWatch MDM and configure CPPM to point to it, then lock down the authentication to require the device to be enrolled in the MDM.

 

http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=13370

 

3. Lock down firewall rules on the IAP for the onboarding and mobile-pos roles. If you have a captive portal enforcement redirecting to an external site, do you have to allow traffic to that site? Or is it inferred automatically that traffic is allowed? 

 

Yes you need to allow access to that site.

 

What am I forgetting? Any hints/tips/tricks? Thanks to @sethfiermonti and others for the help!

 

Swack


 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor I
Posts: 32
Registered: ‎02-22-2011

Re: iPod POS EAP TLS to IAP with ClearPass OnBoard Certificate

Thanks Troy! It turns out that the captive portal problem was solved by upgrading the IAP to the latest version.

Twitter: @swackhap
Search Airheads
Showing results for 
Search instead for 
Did you mean: