Security

last person joined: 2 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

iOS WLAN Enrollment

  • 1.  iOS WLAN Enrollment

    Posted Sep 13, 2011 05:55 AM
    Hello together. I now have configured Amigopod to serve iOS devices with certficates. So far everything is working fine. But there is one open questions:

    When I connect to my guest WLAN using aruba integrated captiveportal, an iOS device directly open the browser windows and want to authenticate against the cap. How is this working? Doese the iOS an HTTP request wich is directly redirected, or is this managed by the wlan configuration provided by the controller?

    For my iOS provisioning I use a completly seperated network where just aruba and amigopod is placed into. There is no dns and no web browsing.

    I there a way redirect a new device to the ios provisioning captive portal of the amigopod, in this scenario?


    And I also want to note the following:
    - A manual for configuring iOS enrollment with amigopod would be very nice :-)
    - Pushing a proxy for the WLAN configuration would be very very nice

    best regards


  • 2.  RE: iOS WLAN Enrollment

    Posted Sep 14, 2011 07:15 AM


    Speak to Aruba TAC about this as there are lots of variables and different configurations available. I'm not aware of an MDAC manual as yet.



    There are a few option for pushing proxy settings. Methods to use DHCP or the controller firewall have been covered in these forums.

    Enforce proxying via controller firewall with transparent proxy. Link
    Deploy proxy.pac via DHCP on controller. Link

    Can you elaborate on your other question please?



  • 3.  RE: iOS WLAN Enrollment

    Posted Sep 23, 2011 05:54 AM
    Thank you for your answer whitehead.


    Now I have the problem that I cannot get dhcp working with option 252. Here is my DHCP configuration:

    ip dhcp pool Mobile_DHCP
    default-router 10.137.11.254
    dns-server 10.137.15.8 10.137.15.9
    domain-name de.customer.dns
    lease 1 0 0 0
    option 252 text "http//10.137.15.254/proxy/proxy.pac"
    network 10.137.11.0 255.255.255.0
    authoritative
    !

    The pac file dose not relie von the aruba controller in this try. I also used
    in the end the string.

    Im using the 6.1.2.2 ArubaOS and the client is an iPhone 4.

    As i know iPhone should support proxy pac per dhcp.

    Thanks in advance


  • 4.  RE: iOS WLAN Enrollment

    Posted Sep 23, 2011 06:12 AM

    Thank you for your answer whitehead.


    Now I have the problem that I cannot get dhcp working with option 252. Here is my DHCP configuration:

    ip dhcp pool Mobile_DHCP
    default-router 10.137.11.254
    dns-server 10.137.15.8 10.137.15.9
    domain-name de.customer.dns
    lease 1 0 0 0
    option 252 text "http//10.137.15.254/proxy/proxy.pac"
    network 10.137.11.0 255.255.255.0
    authoritative
    !

    The pac file dose not relie von the aruba controller in this try. I also used
    in the end the string.

    Im using the 6.1.2.2 ArubaOS and the client is an iPhone 4.

    As i know iPhone should support proxy pac per dhcp.

    Thanks in advance




    You need to set the proxy setting to Automatic on the i-device to get this to work.


  • 5.  RE: iOS WLAN Enrollment

    Posted Sep 26, 2011 06:47 AM
    I used automatic discovery. With an iPad and an iPhone.


  • 6.  RE: iOS WLAN Enrollment

    Posted Sep 26, 2011 08:16 AM
    Did you attempt to browse to the page http//10.137.15.254/proxy/proxy.pac to see if you canretrieve the file?


  • 7.  RE: iOS WLAN Enrollment

    Posted Nov 17, 2011 05:47 PM

    On the point of your existing guest WLAN automatically displaying the internal captive portal, this is a result of the iOS devices supporting a usuablilty feature called Apple's Captive Network Assistant. We have some interesting information regarding this feature posted on the following link:

     

    Apple Captive Network Assistant

     

    In terms of how to get your iOS devices to be redirected to the device provisioning page in your isolated network, this will require some local DNS resolution. If you can imagine when the iOS device connects to the WLAN, it will DHCP its IP Address settings and then based on the above Captive Network Assistant feature will attempt to resolve an IP address for the www.apple.com domain name. When this fails the Captive Network Assistant will also fail and no mini browser or web sheet will be displayed.

     

    This will require the user to open the safari browser manually and then either browse to the device provisioning page manually or due to the lack of DNS browse via an IP address such as http://1.1.1.1 

     

    Ideally for a clean user experience it will be best to enable some DNS resolution in your provisioining network.

     

    Hope this helps.