Onboarding and ClearPass Policy Manager itself have many options and many ways to configure it. The important thing is to know what you need it for, form a business policy around it, and then you will have a concrete direction. In general, Onboard is designed to give unique credentials to devices like smartphones where 802.1x would only have them using a regular username and password. Later, if the user leaves the company, you can disable their AD account and none of their BYOD devices will work. If they lose a BYOD device the individual device can also be disabled.
With that being said, what environment do you have and what is your goal?
thanks for your reply.
I have a ssid which corporate laptops will be using for 802.1x authentication. Should users use their android/ios/macbook devices to connect, they should be directed to a provisioning page to do onboarding. Once onboarded, those devices will have limited access to corporate networks. Those devices will be managed by mobile iron once onboarded.
I have configured the services for the corporate laptop 802.1x authentication with role assignment. Should I be using the same service to determine if it is a byod device? How do I configure the policy manager to determine that it is a BYOD device and direct it to the captive portal? Do I need to enable the profiler for the policy manager to categorise the devices?
Are these corporate devices Windows devices that will be doing machine authentication to your domain?
First: Add ClearPass as IP Helpers under the Wireless VLANs, this will allow you to profile and get device OS information
Second: Add Endpoint Repository as an Authorization Source
Third: Add device Category and OS Family as "Roles"
Fourth: In your enforcement policy use these to redirect users to the onboard page:
Here's the basic you need in your enforcement profile:
You can use this as a baseline and then add more granular context with AD groups, etc.
I usually always add the endpoint repository as an authorization source.
The ONBOARD-ENROLL enforcement policy just returns that role to the controller. On the controller you'd need to create a new user-role with the same name and attach a captive portal profile with the URL of the the onboard enrollment page.
You'll want to check for Authentication:OuterMethod = EAP-PEAP and Authorization:AD:Groups EQUALS Onboard-Group-Name and then return the ONBOARD-ENROLL role to the controller. This just says if you're using username and password to authentication (instead of a certificate) and you're a member of the approved group, then send you to the onboard enrollment page.
I created these profiles manually. You can also check out https://ase.arubanetworks.com. It's a wizard based engine that can create controller configurations based on your ClearPass requirements.
The requirement from the customer was a single ssid for onboarding BYOD, onboarded BYOD and non-BYOD corporate laptops, so i can't do multiple SSIDs for these features. To connect to that SSID, users are using 802.1X authentication.
I had created the following service
I will have users in 3 separate security groups(User, Hospital, IT). The first 3 conditions will provide user with a non-onboarded role for full access to the network. It am testing on the IT roles at the moment. If user is using a smart device, belongs to the BYOD_IT grouping and is not using EAP-TLS, the will be assigned to a pre-provisioned role (BYOD_IT).
Now in captive portal, I will create a matching role.
Captive portal profile is as below.
When users attempt access any webpage thru their non-onboarded BYOD on iPAD, they are directed to the clearpass URL provisioning URL but the page shows "Safari cannot open the page because too many redirects occured". the ipad was assigned the preprovisioned role of BYOD_IT correctly. Why am I not able to see the provisioning page?
I had tried removing the captive portal profile and for the BYOD_IT role and provided a allowall policy without the captive-portal policy, I am able to see the provisioning page. However I will a a profile installation failed when I attempted to install the device profile, I am in the midst of downloading the latest cumulative patch to see if it resolves the profile installation problem.
I have gotten the redirection working. It had something to do with my policies.
Now I have another query. My android phone after going to the provisioning page and authenticating successfully is redirected to install the Network Profile.
When installing, I get the error
"There was an error in configuring your device. This device is not authorized to use this service. Server rejected authorization: Invalid username or password."
I checked the access tracker and there seemed to be another authentication attempt while the phone was attempting to install the network profile.
Why am i getting the error of invalid username and password even though my authentication on the provisioning page was successful?
Should i be creating another service to cater for the installation of network profile?
Do you have an Onboard authentication and Onboard authorization service?
I had tried using the service template for the Onboarding service but I am still getting the "Profile Installation Failed - A connection to the server could not be establised." error on IOS and "server rejected authorization:Invalid username or password" on Android.
3 Services were created when i used the template
Onboard_Web_Login was a service I created to authenticate the IOS-BYOD user credentials on captive portal.
The access tracker still shows that Service Categorization Failed. I am using the clearpass as the cert authority and i have another clearpass appliance forming a cluster with this.
I have added the "Local User Repository" to the authentication source for all the services. The Pre-Provisioning enforcement policy returns a Aruba-User-Role of 'BYOD-Provision'. I have amended it to a role i created as I did not see any BYOD-PROVISION role in the controller.
Could someone enlighten me on what I could have done wrongly?
Logged a case with TAC and they managed to resolve my issue. It was a misconfiguration on my part I had chosen radius instead of AppAuth for the onboard authorisation.
As I am not using a public cert and the self-signed cert from the onboard module was not imported to the policy manager, when my ipad tries to authenticate, it fails.
TAC is helping to confirm the error. Solution was to perhaps use the cert from the onboard module.
I have got another query. My enforcement policy is not treating my ipad as a smart device and is getting the AUTH_LAPTOP role. The aim is to not to apply onboarding for windows laptop but allow onboarding for MAC OS, ipad, android etc.. I could perhaps use a condition that requires successful user and machine authentication to enforce this but AD is not ready yet. I am using a local account to authenticate and thus am unable to use machine authentication as one of the conditions. Any workaround for this?
Thanks all for your help.
I have manged to get the BYOD working with the help from this forum and support :)
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.