Security

last person joined: 11 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

[Tutorial] ONBOARD USING DUAL SSID

Jump to Best Answer
  • 1.  [Tutorial] ONBOARD USING DUAL SSID

    Posted Jan 29, 2015 11:06 AM
      |   view attached

                                   ONBOARD USING DUAL SSID

    Overview

    This topic is about Device onboard using two SSID. In this scenario I’ll use two SSID. At first user device will connect to one SSID, which is open network, after that user will redirect to CPPM’s captive portal page. When user complete the captive portal authentication, onboard will start to working. It will configure the user device and after completion user will automatically switch to 2nd SSID.

    SSID used here

    1. BYOD-A [Open network ]
    2. BYOD-B [Secured with WPA2-AES]

    Flowchart:

    Picture1.jpg

     

     

    • Log in to the CPPM and go to Home » Onboard + Workspace » Onboard/MDM Configuration » Network Settings

    Put the name of the 2nd ssid & select ‘automatically join network’ 

     

    Picture2.jpg

     

    • Now go to next tab and configure as per your requirement.

    Picture3.jpg

     

     

    • Open the windows tab

    Picture4.jpg

     

    1. Follow this path Home » Onboard + Workspace » Deployment and Provisioning » Provisioning Settings

    Careful about page name, because this name will be your captive portal log in page.

    In here it is device provisioning, so the redirection page is 

     Picture5.jpg

     

     

    • Go to Home » Onboard + Workspace » Deployment and Provisioning » Configuration Profiles and choose you Provisioning profile. 

     Picture6.jpg

     

    • Open Configuration » Enforcement » Profiles »   Here I’ll configure one enforcement profile.

    Picture7.jpg

     

     

    • Now go to Configuration » Enforcement » Policies » to configure an enforcement policy & configure two authentication method, PAP & EAP-TLS.

    Picture8.jpg

     

     

     

    • Switch to Configuration » Identity » Local Users and assign the same role as assign in policy.

    Picture9.jpg

     

     

    • Open Configuration » Services »  and configure a service 
    • Here I added two SSID in service , so that the 2nd service is not required.
    • Check the configuration of rest of the service

    Picture10.jpg

     

     Picture11.jpg

     

    • Here I’m using only two authentication method because 1st time due to captive portal user will use PAP, & in meantime when using quickconnect app it’ll complete another authentication using PAP, after that it will use EAP-TLS to complete onboarding.

    Picture12.jpg

     

     

    Picture13.jpg

     

    • Now log in to controller to configure WLAN profile. 

    Picture14.jpg

     

     

    Picture15.jpg

     

     

    Picture16.jpg

     

     

                                                                      OUTPUT

     

    At first I’ll connect to BYOD-A [open network]. You can see here my credential is correct so it gives me the quickconnect download link.

     

    Picture17.jpg

     

    Here it’s showing me warning that, you may attempt to connect to the secure network BYOD-B, that’s what I want.

     

    Picture18.jpg

     

    Picture19.jpg

     

     

    NOTE:  This tutorial may have some flaws.

                  There are probably alternative or better ways of achieving this.

     

     

                               THANK YOU

    Attachment(s)



  • 2.  RE: [Tutorial] ONBOARD USING DUAL SSID
    Best Answer

    Posted Feb 01, 2015 01:38 AM


  • 3.  RE: [Tutorial] ONBOARD USING DUAL SSID

    Posted May 15, 2017 10:48 AM

    How would you do this using Instant? I followed all the steps for CPPM and created 2 SSID on my IAP. I'm struggling with the roles I need to assign on the IAP for the different SSID.

     

    Is it correct to assume my guest SSID has a pre-auth role of guest_logon and default role of guest and my secure SSID just has an authenticated role?



  • 4.  RE: [Tutorial] ONBOARD USING DUAL SSID

    Posted May 15, 2017 10:55 AM
    This solution is with a single SSID but should give an idea of what you need to do
    https://ase.arubanetworks.com/solutions/id/35

    Steps:

    * When the user connects to the Guest SSID it will redirected to the Guest Captive portal page (Pre-Auth role)
    * You will need to place a link in the Guest Captive Portal page for users to reach the onboarding page
    * The user will go through the onboarding process (Will be using the onboarding services)
    * once completed the user will have configured the EAP-TLS SSID and should hit the 802.1x service and during this process you can return a user-role back to the VC
    *


  • 5.  RE: [Tutorial] ONBOARD USING DUAL SSID

    Posted May 15, 2017 10:56 AM
    If you’re using your guest SSID for Onboarding as well, the only change you’ll have to make is to add the URLs for the Google Play store for Android onboarding.