Using the Virtual controller on an IAP pointing to CPPM(6.1) for BYOD. Have an employee SSID set up on Instant which points to CPPM and Onboard configured for Captive portal. I cant seem to perform redirection to the Captive portal. The redirection works for my guest SSID and CPPM/Onboard guest portal. Any pointers much appreciated.
Confirmed its not a dns resolution issue, also tried with IP address. We are using a single ssid called byod on the Instant AP which maps to an employee role. thanks a bunch
BYOD on a Single SSID
Instant OS 3.2 and earlier did not provide the ability to redirect a client to a captive portal page post 802.1X authentication. This limitation required the use of 2 SSIDs: 1) provisioning SSID 2) approved device SSID (802.1X) to provide a complete BY0D solution. In Instant OS 3.3, Aruba introduced the ability to redirect a client to a captive portal page after 802.1X authentication. This new enhancement provides the ability to append a captive portal redirection to a user role. This enhancement coupled with the ability to define a user role based on the EAP authentication type allows the use of a single SSID for a complete BYOD solution. The steps involved in configuring a single SSID for BYOD are these:
STEP 1: Create a user role with captive portal redirection
STEP 2: Create an Employee SSID
STEP 3: Configure the access settings of the SSID with appropriate 802.1X authentication type based derivation rule
STEP 4: If required configure IAP for server derived rules
thank you for your help, unfortunately i cannot see the images as they appear to be on ur internal pages.. prompting me to login
please can you send the screenshots by pdf...
Thanks you so much
The URL redirect now happens but the onboarding does not complete. The IAP sends the following URL format to the CPPM
https://<clearpass IP>/guest/device_provisoning.php?cmd=login&mac=xxxxxxxxx&essid=byod&ip=192.......&apname=xxxxxxxx&switchip=securelogin.arubanetworks.com&url=http<original URL>
however if I manually go to https://<clearpass IP>/guest/device_provisoning.php/ then I get to the onboarding page. After running through Quick Connect app I get re-provisioned for TLS.
It seems CPPM is expecting only upto "/device_provisioning.php/ and not the other meta data containing the original url
i am trying this with Android ICS 4.1.1.
I experienced same issue of non redirection when trying from iPad.(testing without commerical cert )
Did you try it with out https.
IOS will not onboard if you have https enabled with no public webserver cert.
Make sure you disable https in CPGuest under "Home » Configuration » Authentication"
And in you IAP you use http.
Android will also complain if you tell it to validate the server cert under the provisioning settings.
I tried both with & without https ( Onboard > Config > Authentication > disabled HTTP for authentication for guest portal )
I can get iOS to onboard without https (1st PEAP, then TLS). Android and iOS works fine if i point browser to http://<ip_addr>/guest/device_provisoning.php
For iOS or Android if I type in a random URL I can see the redirect trying to happen
1. I enter in browser: http://www.yahoo.co.in (dns works)
2. Browser is hijacked and URL shows <ip of cppm>/guest/device_provisioning.php<followed by mac adress, meta data and the orignal url >
but it hangs there and then says the link cannot be reached.
Is there an example of configuration on the CPPM services & onboaed side?
error msg on the redirect attempt is (on android)
Webpage not available
The webpage at < IP adrress of CPPM + long url > might be temporarily down or it may have permanently moved to a new web address.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.