You need to have a commercial CA for ClearPass to correctly Onboard Apple devices when using HTTPS.
If you do not have a commercial CA the Onboarding of Apple devices will fail.
On Windows, and Android you don't have to worry what certificate you use.
This is the certificate for the ClearPass (Apache server) itself by the way. Not the certificate for the Onboard.
I am not sure if there is a guide that takes it step by step.
Simple explanation would be.
- Create a service. Alternatively you can add this functionality to an existing service.
- On the 'Roles' tab of your service from the dropdown menu select the default 'Onboard Authorization'. This contains all some basic role mapping rules. You can customize this though to your needs.
- Create an Enforcement Policy that evaluated the 'TIPS Role' of the device. The CPPM will have given a TIPS role based on the rules in the role mapping 'Onboard Authorization'.
- Then match your Enforcement Policy up with an Enforcement Profile that sends back a RADIUS response with the correct 'User Role' and 'VLAN'. The User Role would be equal to a role that you created on your Aruba controller.
You can make your Role Mapping rules do just about anything. For instance, Blackberry devices, we created a rule that checks the device from the Endpoint profiles and if the 'OS Family' = 'Blackberry' then we assing it a TIPS role of 'Blackberry' (for instance).
I believe some of the default template services might give you a good visual representation of what you have to do as well.
Hopefully this helps a little though.
Cheers