Security

last person joined: 20 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Problems with Onboarding and HPE Unified Wireless Controller

  • 1.  Problems with Onboarding and HPE Unified Wireless Controller

    Posted Dec 05, 2017 11:00 AM
      |   view attached

    Hi.

     

    I am implementing a ClearPass Onboard in a Hospital who owns Aruba 205 IAPs and HPE 460 APs.  ClearPass Onboard is working fine with Aruba Instant APs but I am having  problems with the HPE side. They have an HPE Unified Wireless Controllers and about 200 APs. The problem is happening during the onboarding process of android devices.

     

    I setup some portal free rules to allow users connected to the onboard SSID to download de QuickConnec from Play Google Play store. I have tried the usual rules showed below but its not working.

     

     

     

    portal user-url *.ggpht.com free
    portal user-url android.clients.google.com free
    portal user-url *.play.googleapis.com free
    portal user-url www.googleapis.com free

    portal user-url *.gvt1.com

     

    portal free-rule 10 source ip any destination ip 192.1.0.40 mask 255.255.255.255


    portal free-rule 11 source ip any destination ip 192.131.0.0 mask 255.255.255.0


    portal free-rule 12 source ip any destination ip 192.2.1.0 mask 255.255.255.0


    portal free-rule 13 source ip 192.131.0.0 mask 255.255.255.0 destination ip 172.217.0.0 mask 255.255.0.0

     

    where:

     

    192.1.0.40 is customer's DNS address
    192.2.1.0 is the subnet from CPPM Subnet
    192.131.0.0 /24 is Onboarding Subnet
    172.217.0.0 /16 is one of the google domain subnets

     

    I have associated these rules to my Interface Vlan 131 

     

    interface Vlan-interface131
    description Onboard
    ip address 192.131.0.10 255.255.255.0
    portal server CPPM2 method direct
    portal domain cppm
    portal url-param include user-url

     

    I have also tried the 

     

    After connecting to the Onboarding SSID it opens the Onboard Portal and after authenticating with AD credenciasl it prompts for the QuickConnect installs but can't download it.

     

    Just to confirm that problem was caused by Unified fireeall I added a portal rule allowing subnet 192.131.0.0 /24 to any  and QuickConnect was download without any problem

     

    Does anyone have a sucessfull implemention of ClearPass Onboard with HPE Unified controllers that can be shared with me ?

     

    I am not having problems onboarding Windows devices.

     

    I am attching a screenshow showing where the downloading process stops.

     

    It is missing some google playstore to be allowed on the Controller.

     

    Any ideas ?

     

    Thanks.

     

    Luis Rodrigues

    (HPE/Aruba Partner Sâo Paulo Brazil)



  • 2.  RE: Problems with Onboarding and HPE Unified Wireless Controller

    Posted Dec 05, 2017 11:05 AM
    Please be sure you're using the most up to date whitelist entries from Aruba GitHub.

    https://github.com/aruba/clearpass-cloud-service-whitelists/blob/master/onboard/onboard_android.md


  • 3.  RE: Problems with Onboarding and HPE Unified Wireless Controller

    Posted Dec 05, 2017 02:59 PM

    Tim. I will add the ones that is missing.

     

    Thanks a lot !!

     

    Luis

     

     



  • 4.  RE: Problems with Onboarding and HPE Unified Wireless Controller

    Posted Dec 12, 2017 08:52 AM

    Hi Tim, I've added the rules, but I'm still having trouble downloading QuickConnect from Google Play.

     

     

     

    I have debugged the controller portal and checked all the subnets / urls used to download QuickConnect.

     

    I added each of them individually and even then I did not succeed.

     

    In the past, I have had some similar problems with this controller using IMC UAM software because of bug. I think again it's the same problem

     

    We are negotiating with them an update to a newer version; Currently they are using the 5.20p41 code and the latest code is 5.20p63 !!!

     

    The way the 20G controller works with the portal firewall is different from Aruba. I can't , at least with the current version, impose a rule to force the portal as we have in Aruba. Depending on the URLs or subnets configured on the free rules, the portal is ignored and the Onboard process does not work.

     

    I'm going to run new tests with updated code to see if I can fix this.

     

    If I can I will share it here with you.

     

    If anyone else here at Airheads has already solved this please share with me !!

     

    Thanks 

     

    Luis