Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Onboard : iOS devices provisionning

Jump to Best Answer
  • 1.  Clearpass Onboard : iOS devices provisionning

    Posted Oct 15, 2014 03:22 AM

    Hi,

     

    For my first post on Airheads Community, I'd like to submit BYOD issue when provisionning iOS devices.

     

    My goal is to Onboard/Provision personal devices, using a PEAP/MSCHAPv2 authentication. I've configured two SSID, and my Clearpass configuration seems OK, since it's working for my Windows and android devices.

     

    The issue occur when I try to provision an iPad:

     

    - Installation of root CA : OK

    - Onboarding : OK, I can see my device on Clearpass Onboard

    - Provisionning : Failed. Connection to my corporate SSID failed. Looking in access tracker, It seems that my Provisionning service is not applied.

     

    Have you any idea that could help me ?

     

    Thank you,

     

    Maxime



  • 2.  RE: Clearpass Onboard : iOS devices provisionning

    Posted Oct 15, 2014 03:27 AM
    The most common issue is the device is not trusting the https cert. You need to have a publicly signed cert on the https. If you are just testing you can disable https on both the controller and CPPM. Then in your redirect use http://


  • 3.  RE: Clearpass Onboard : iOS devices provisionning

    Posted Oct 15, 2014 03:55 AM

    Thanks Troy,

     

    I've unchecked "Require HTTPS for guest access" in CPPM and I use an http url for my BYOD captive portal, but it doesn't work.

     

    Now, I think I've a problem with one of my Clearpass Onboard Service.

    I've configured the following rule : 

    1.Radius:IETFUser-NameCONTAINSOnboardDevice

    This rule is firing with my windows and android device when I connect to my corporate SSID with unique id, but not with my Ipad.

     



  • 4.  RE: Clearpass Onboard : iOS devices provisionning

    Posted Oct 15, 2014 04:01 AM
    What are you using for wireless?

    If you can onboard other devices its most likely not a service issue.

    Do you also have the checkbox checked in the controllers captive portal. Samplace where you put in the address.

    Post some screen shots of access tracker and you can also look in the application log in the guest side.


  • 5.  RE: Clearpass Onboard : iOS devices provisionning

    Posted Oct 15, 2014 05:05 AM

    I'm using Aruba APs and controllers (3600)

     

    I also checked the "use http" checkbox.

     

    Now, looking in the controller log, I can see EAP challenge failed when trying to connect to my corporate SSID. So I have a few questions :

     

    - Is it possible to use unique id and PEAP with iOS devices ?

    - Should I use EAP-TLS instead ?



  • 6.  RE: Clearpass Onboard : iOS devices provisionning

    Posted Oct 16, 2014 03:05 AM

    I had a phone call with TAC, they say that unless I configure a commercial certificate, it won't work.

    That seems strange, because I thought that manually installing Root CA and desactivate https should work.

     

    I've tried to provision a WPA2-PSK SSID and it's working like a charm. But when I provision a 802.1X SSID (tried PEAP and EAP-TLS), it doesn't work. And the strange part is that I didn't see any log in Access Tracker for the authentication service.



  • 7.  RE: Clearpass Onboard : iOS devices provisionning
    Best Answer

    Posted Oct 16, 2014 03:18 AM

    Like I was talking about you can provision with out a Public cert if you have the following done on CPPM and the controller.

     

    You wont see any auths happening on a PSK network because the client will disconnect and then reconnect with the same SSID. IOS devices have an issue where it wont move to a provisioned SSID like a windows or android device will. 

     

    Also if you want the device to disconnect and reconnect you need to have the Send IP checkmarked in the controller.

     

    Here is a how-to.

     

    https://ase.arubanetworks.com/solutions/id/34

     

    Screen Shot 2014-10-16 at 2.11.15 AM.png

     

    Screen Shot 2014-10-16 at 2.11.52 AM.png

     

     



  • 8.  RE: Clearpass Onboard : iOS devices provisionning

    Posted Oct 16, 2014 05:19 AM

    Thanks a lot for the how-to !

     

    It's almost working now, I think that the "Add IP Switch IP..." was the key.

    I've just a small issue on iOS devices, I need to switch the WiFi off/on to get the correct profile.

     

    Again, thank you for your help !