Wireless Access

Hello, im trying to set up onboard for the first time. I have some troubles. I cannot change the role after onboarding to the employee role, and its stuck on captive portal role. Here are some screenshot about the service and policies. I followed the Herman Robers tutorial on youtube for the onboard configuration:

The onboarding policy, the role also use the logon-control and captive portal policy from the controller.


------------------------------
AA
------------------------------

Hi,

Try including dns in your permit policy.

------------------------------
Seungin Park
------------------------------

Original Message:
Sent: Nov 17, 2020 11:45 PM
From: Aria adhiguna
Subject: Push Role to Controller after device provisioning on Onboard

Hello, im trying to set up onboard for the first time. I have some troubles. I cannot change the role after onboarding to the employee role, and its stuck on captive portal role. Here are some screenshot about the service and policies. I followed the Herman Robers tutorial on youtube for the onboard configuration:

The onboarding policy, the role also use the logon-control and captive portal policy from the controller.

Enforcement policy and role mapping

After provisioning, device still have the onboarding role mentioned before, so it cannot access the internet.
Any suggestion for this? Thank you.

------------------------------
AA
------------------------------

Hello, the DNS Permit rule exists on the policy below the mentioned policy.

------------------------------
AA
------------------------------

Original Message:
Sent: Nov 18, 2020 02:15 AM
From: Seungin Park
Subject: Push Role to Controller after device provisioning on Onboard

Hi,

Try including dns in your permit policy.

------------------------------
Seungin Park

Original Message:
Sent: Nov 17, 2020 11:45 PM
From: Aria adhiguna
Subject: Push Role to Controller after device provisioning on Onboard

Hello, im trying to set up onboard for the first time. I have some troubles. I cannot change the role after onboarding to the employee role, and its stuck on captive portal role. Here are some screenshot about the service and policies. I followed the Herman Robers tutorial on youtube for the onboard configuration:

The onboarding policy, the role also use the logon-control and captive portal policy from the controller.

Enforcement policy and role mapping

After provisioning, device still have the onboarding role mentioned before, so it cannot access the internet.
Any suggestion for this? Thank you.

------------------------------
AA
------------------------------

Were you able to successfully complete the onboarding process? From your description, it seems like that, which is good.
Do you see after onboarding the authentication as EAP-TLS in the access tracker?
Can you share a screenshot of the summary tab of Access Tracker after the onboarding?

In the demo, I (think that I) check if the authentication is EAP-TLS and assign a BYOD role based on that.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------

Original Message:
Sent: Nov 17, 2020 11:45 PM
From: Aria adhiguna
Subject: Push Role to Controller after device provisioning on Onboard

Hello, im trying to set up onboard for the first time. I have some troubles. I cannot change the role after onboarding to the employee role, and its stuck on captive portal role. Here are some screenshot about the service and policies. I followed the Herman Robers tutorial on youtube for the onboard configuration:

The onboarding policy, the role also use the logon-control and captive portal policy from the controller.

Enforcement policy and role mapping

After provisioning, device still have the onboarding role mentioned before, so it cannot access the internet.
Any suggestion for this? Thank you.

------------------------------
AA
------------------------------

-Yes, i was able to complete the onboarding process. I can see on the onboard menus that the certificate has been assigned to the device.
-Im not sure about the authentication in the access tracker, i will check again once i have access.
-I have yet to take a screenshot, but as i remembered, the services during the onboarding process was the 802.1x service and the Onboard service (ws_Onboard_authorization on your tutorial)

As a side question, how do i set the controller to automatically redirect to the onboard portal after 802.1x authentication? Im not sure how to configure the intial and 802.1x roles on the AAA profile

------------------------------
AA
------------------------------

Original Message:
Sent: Nov 19, 2020 04:16 AM
From: Herman Robers
Subject: Push Role to Controller after device provisioning on Onboard

Were you able to successfully complete the onboarding process? From your description, it seems like that, which is good.
Do you see after onboarding the authentication as EAP-TLS in the access tracker?
Can you share a screenshot of the summary tab of Access Tracker after the onboarding?

In the demo, I (think that I) check if the authentication is EAP-TLS and assign a BYOD role based on that.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.

Original Message:
Sent: Nov 17, 2020 11:45 PM
From: Aria adhiguna
Subject: Push Role to Controller after device provisioning on Onboard

Hello, im trying to set up onboard for the first time. I have some troubles. I cannot change the role after onboarding to the employee role, and its stuck on captive portal role. Here are some screenshot about the service and policies. I followed the Herman Robers tutorial on youtube for the onboard configuration:

The onboarding policy, the role also use the logon-control and captive portal policy from the controller.

Enforcement policy and role mapping

After provisioning, device still have the onboarding role mentioned before, so it cannot access the internet.
Any suggestion for this? Thank you.

------------------------------
AA
------------------------------

Probably the best way is to leave the initial role what it is and during authentication in ClearPass always return the Aruba-User-Role. By returning a role that redirects to a captive portal, you can get users redirected. One possible approach can be to check if the client is Onboarded by checking if the authentication is EAP-TLS and optionally if the Issuing-CA is the Onboard CA, and otherwise return the onboarding role to redirect clients to the Onboarding portal page.

Please be advised that single-SSID onboarding, how that is called if you use the same SSID before and after onboarding is not recommended as some clients will have issues with the captive portal browser with limited access or don't like to change an existing WLAN configuration for the SSID you are connected to, many Android devices will not allow that.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------

Original Message:
Sent: Nov 19, 2020 04:38 AM
From: Aria adhiguna
Subject: Push Role to Controller after device provisioning on Onboard

-Yes, i was able to complete the onboarding process. I can see on the onboard menus that the certificate has been assigned to the device.
-Im not sure about the authentication in the access tracker, i will check again once i have access.
-I have yet to take a screenshot, but as i remembered, the services during the onboarding process was the 802.1x service and the Onboard service (ws_Onboard_authorization on your tutorial)

As a side question, how do i set the controller to automatically redirect to the onboard portal after 802.1x authentication? Im not sure how to configure the intial and 802.1x roles on the AAA profile

------------------------------
AA

Original Message:
Sent: Nov 19, 2020 04:16 AM
From: Herman Robers
Subject: Push Role to Controller after device provisioning on Onboard

Were you able to successfully complete the onboarding process? From your description, it seems like that, which is good.
Do you see after onboarding the authentication as EAP-TLS in the access tracker?
Can you share a screenshot of the summary tab of Access Tracker after the onboarding?

In the demo, I (think that I) check if the authentication is EAP-TLS and assign a BYOD role based on that.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.

Original Message:
Sent: Nov 17, 2020 11:45 PM
From: Aria adhiguna
Subject: Push Role to Controller after device provisioning on Onboard

Hello, im trying to set up onboard for the first time. I have some troubles. I cannot change the role after onboarding to the employee role, and its stuck on captive portal role. Here are some screenshot about the service and policies. I followed the Herman Robers tutorial on youtube for the onboard configuration:

The onboarding policy, the role also use the logon-control and captive portal policy from the controller.

Enforcement policy and role mapping

After provisioning, device still have the onboarding role mentioned before, so it cannot access the internet.
Any suggestion for this? Thank you.

------------------------------
AA
------------------------------

Thank you for your input, i will check it immediately when i have access.
I also never knew that it is not recommended to use single SSID for Onboard.
I just found a nice tutorial for that:
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=7246

------------------------------
AA
------------------------------

Original Message:
Sent: Nov 19, 2020 07:26 AM
From: Herman Robers
Subject: Push Role to Controller after device provisioning on Onboard

Probably the best way is to leave the initial role what it is and during authentication in ClearPass always return the Aruba-User-Role. By returning a role that redirects to a captive portal, you can get users redirected. One possible approach can be to check if the client is Onboarded by checking if the authentication is EAP-TLS and optionally if the Issuing-CA is the Onboard CA, and otherwise return the onboarding role to redirect clients to the Onboarding portal page.

Please be advised that single-SSID onboarding, how that is called if you use the same SSID before and after onboarding is not recommended as some clients will have issues with the captive portal browser with limited access or don't like to change an existing WLAN configuration for the SSID you are connected to, many Android devices will not allow that.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.

Original Message:
Sent: Nov 19, 2020 04:38 AM
From: Aria adhiguna
Subject: Push Role to Controller after device provisioning on Onboard

-Yes, i was able to complete the onboarding process. I can see on the onboard menus that the certificate has been assigned to the device.
-Im not sure about the authentication in the access tracker, i will check again once i have access.
-I have yet to take a screenshot, but as i remembered, the services during the onboarding process was the 802.1x service and the Onboard service (ws_Onboard_authorization on your tutorial)

As a side question, how do i set the controller to automatically redirect to the onboard portal after 802.1x authentication? Im not sure how to configure the intial and 802.1x roles on the AAA profile

------------------------------
AA

Original Message:
Sent: Nov 19, 2020 04:16 AM
From: Herman Robers
Subject: Push Role to Controller after device provisioning on Onboard

Were you able to successfully complete the onboarding process? From your description, it seems like that, which is good.
Do you see after onboarding the authentication as EAP-TLS in the access tracker?
Can you share a screenshot of the summary tab of Access Tracker after the onboarding?

In the demo, I (think that I) check if the authentication is EAP-TLS and assign a BYOD role based on that.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.

Original Message:
Sent: Nov 17, 2020 11:45 PM
From: Aria adhiguna
Subject: Push Role to Controller after device provisioning on Onboard

Hello, im trying to set up onboard for the first time. I have some troubles. I cannot change the role after onboarding to the employee role, and its stuck on captive portal role. Here are some screenshot about the service and policies. I followed the Herman Robers tutorial on youtube for the onboard configuration:

The onboarding policy, the role also use the logon-control and captive portal policy from the controller.

Enforcement policy and role mapping

After provisioning, device still have the onboarding role mentioned before, so it cannot access the internet.
Any suggestion for this? Thank you.

------------------------------
AA
------------------------------