Wireless Access

 View Only
  • 1.  Aruba Instant controller configuration for ClearPass OnBoard

    Posted Oct 09, 2024 01:45 PM

    Hello all,

    I have been tasked with setting up a PoC for ClearPass OnBoard.

    Our WiFi environment is Aruba Instant with virtual controllers (A mix of 315 & 515 WAPs across 4 clusters.)

    I would like to setup a single SSID for OnBoard as the authenticated users will only have internet access. No access to our network domain.

    I have seen a lot of good information for ClearPass configuration with what appear to be hardware controller configs, but I cannot find any thing for Aruba Instant.

    Can someone point me in the direction of any links for configuring Aruba Instant for OnBoard please? Thanks.



  • 2.  RE: Aruba Instant controller configuration for ClearPass OnBoard

    Posted Oct 10, 2024 11:30 AM

    The configuration is basically the same for all WLAN vendors: get the client to a launching point for Onboard, have them go through the provisioning, then have them connect to an 802.1X enabled network.

    Is there something specific that you have a question on in the process?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: Aruba Instant controller configuration for ClearPass OnBoard

    Posted Oct 28, 2024 06:51 PM

    Apologies for the slow reply.

    We have been trying to figure this out as there does not appear to be a lot of information available for configuring Aruba Instant in relation to ClearPass OnBoard.

    We believe that we need 2 WLANs, one for provisioning which we have setup as a guest portal with authentication using EAP-PEAP.

    Once provisioning is done and the cert. for EAP-TLS is down loaded to the client device, the user is directed to log into the the second WLAN.

    This is the part we are struggling to get going.

    We thing that the enforcement policy needs a condition for the EAP-PEAP and another for the EAP-TLS and from this it determines if the client device has the cert. or not. Is this true?




  • 4.  RE: Aruba Instant controller configuration for ClearPass OnBoard

    Posted Oct 28, 2024 06:59 PM

    Two WLANs is the easiest way to make things work, typically the "provisioning" network would just be your guest WLAN and you'd allow employees access to the Onboard page.

    If you are using an 802.1X (WPA2 or WPA3 Enterprise) network with EAP-PEAP instead, then you'll want a service for that WLAN that only allows EAP-PEAP, and not allow EAP-PEAP on the provisioned network.  For an Onboard flow, typically you'd only use EAP-PEAP and EAP-TLS on the same network when you want to implement a single WLAN onboarding experience...but that is problematic as some OS do not allow the provisioning to delete or reconfigure the WLAN that is currently being used.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: Aruba Instant controller configuration for ClearPass OnBoard

    Posted Oct 29, 2024 04:28 AM

    I created some videos about Onboard with Instant, 7 years ago, that may still be useful: https://www.youtube.com/watch?v=5Wl0ssdV_JU



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------