Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Whatsapp ios Clearpass

This thread has been viewed 57 times
  • 1.  Whatsapp ios Clearpass

    Posted Feb 21, 2024 01:01 PM

    Good evening everyone, let me introduce myself, I'm Michele, I have a problem in my company, I configured two clearpasses with 3 user categories, so far so good, but when authenticating, Android users calmly use Whatsapp, while iOS users still don't. connect, did I do something wrong about the policies? thanks for anyone who can help me, and sorry for my english



  • 2.  RE: Whatsapp ios Clearpass

    Posted Feb 21, 2024 01:30 PM

    What makes you think this is a ClearPass issue?  What type of flow is this? MAB? Guest? 802.1X? Are you passing dACLs, Downloadable User Roles, Local User Roles, ACLs to clients?  Wired or wireless?  




  • 3.  RE: Whatsapp ios Clearpass

    Posted Feb 21, 2024 02:03 PM
    it is a corporate network with 420 access points, two Aruba 7210s, one primary and one backup with two Aruba clearpasses, I don't use guest users, but I have created three types of user categories with different rules: basic user with one device, user with two devices, and full user.  We're talking about iOS and Android, so we're definitely not talking about a wired network.  If I try not to use clearpass, both WhatsApp services work, when I switch from clearpass to iOS WhatsApp is blocked, Android has no problems whatsoever, on any other type of PC-Mac device I have no navigation problems, it's a system very basic.





  • 4.  RE: Whatsapp ios Clearpass

    Posted Feb 21, 2024 02:15 PM

    Ok so what is different between the various Roles?  What makes you think this is a ClearPass issue?  What do you mean by "when I switch from clearpass to iOS"?




  • 5.  RE: Whatsapp ios Clearpass

    Posted Feb 21, 2024 02:27 PM
    I'm sorry, I don't know how to speak English... and I'm confusing.  I'll try to explain myself better, using, when I use the full user we call it like this with an Android phone WhatsApp works if I use an Apple iPhone WhatsApp blocks me.  If on the 7210 I make an open network without clear pass bypassing it both work.  I have a Clearpass version 6.10.8.  Thank you for your patience





  • 6.  RE: Whatsapp ios Clearpass

    Posted Feb 21, 2024 02:39 PM

    Hi

    To better understand your setup and problem it would be good to know some things about your setup:

    • What authentication do you use 802.1x, MAC auth?
    • If 802.1x, what authentication method EAP-PEAP, EAP-TLS or anything else?
    • Can you share screenshots of all tabs of the Service in ClearPass performing the authentication?
    • Can you provide screenshots of any error messages from the Access Tracker?
    • Do you assign Aruba Roles in the controllers?
    • What version of Aruba OS are you running on the controllers?
    • Are the Android and iOS devices managed by a MDM system like Intune, Jamf or MobileIron?
    • Do the clients have a correct 802.1x connection and authentication profile?

    From the information provided already it sounds more like a missconfiguration or authentication error for the iPhones.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: Whatsapp ios Clearpass

    Posted Feb 21, 2024 02:41 PM
    There is no substantial difference between the roles, just a limitation of connecting more or fewer devices. If I use ClearPass I have this problem. If I create a network via 7210 without Clear Pass I have no problem. If I switch to clear pass android it goes iOS no.






  • 8.  RE: Whatsapp ios Clearpass

    Posted Feb 21, 2024 02:45 PM

    It sounds like an authentication issue for the iOS device based on the limited information.

    How have you specified number of devices per user in each role?

    Any error messages in Access Tracker for the iOS device?



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 9.  RE: Whatsapp ios Clearpass

    Posted Feb 21, 2024 03:11 PM

    .



  • 10.  RE: Whatsapp ios Clearpass

    Posted Feb 22, 2024 02:23 AM

    I don't understand the thoughts behind the configuration provided in the screenshots. The role mapping policy is the default guest role mapping policy for MAC caching and in the enforcement policy you have four rules all returning just and Accept back to the controller.

    With this setup it doesn't matter what role you assign the users under the Local User Repository, as it looks like you are using this repository.  With the size of your organisation you shouldn't use the Local User Repository, instead the corporate directory such as Active Directory, Entra ID, or a generic LDAP.

    If the iPhone authenticates OK in ClearPass, it's the same result sent back to the controller as a Android. ClearPass is not the root cause of your problem, but I recommend that you contact an Aruba SE or Aruba Partner with ClearPass knowledge to help you with the configuration. Also check the Airheads Broadcasting channel on Youtube with the ClearPass series: https://www.youtube.com/watch?v=bnOGv6sN804&list=PLsYGHuNuBZcbZPEku1zxkfpn2k_O_MENo

    You have to check the controller configuration. Only way I can think of that can cause different access for Android and iPhone in this case is if the Android successfully authenticates with 802.1x and the iPhone with MAC auth. In that situation the controller will utilize the respective default roles for 802.1x and MAC auth. If these roles are different and have the MAC auth role have firewall rules blocking some ports you can end up in this situation.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 11.  RE: Whatsapp ios Clearpass

    Posted Feb 22, 2024 02:49 AM
    Thank you, you were really kind, I think it's a controller problem, little by little I managed to get out of it.





  • 12.  RE: Whatsapp ios Clearpass

    Posted Feb 23, 2024 05:26 AM

    You have a service for a Secure SSID with Radius authentication, but use role mapping for guest authentication with MAC address caching. This does not match.

    In role mapping, you query properties from the endpoints. However, these must also be present in the endpoint. You can set them using enforcement profiles, but you don't do that. Do you set them manually? If not, your role mapping always returns [Other] as the result.

    In the enforcement you query Unique-Device-Count. For this to work, the name of the user currently logged in must be stored in the Username attribute in the endpoint. Your enforcement profiles do not do this. Do you set them manually? If not, Authorization:[Endpoints Repository]:Unique-Device-Count is always equal to 1, so ClearPass can never detect how many endpoints the user has used.

    Your enforcement either sends an ACCEPT - if one of the conditions from 1 to 4 is fulfilled. If none of the conditions are met, a REJECT is sent. It is not checked at any point whether it is an Androin or an IOS device.

    Please post the result from the access tracker - all tabs. Once for Android device and once for OIS device.

    Do the IOS and Anfriod devices connect to the same SSID?
    Check in the WLAN Controller whether Android and IOS device get different Aruba user roles.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------