How to use Onboard with single SSID on IAP

Aruba Employee
Aruba Employee

This article explains about the following.

1: Creating a Dot1x SSID on IAP.
2: Creating required roles.
3: Configuring the Guest part of CPPM
4: Creating services on CPPM to handle the Onboarding request.


Environment :


This KB article is written for a combination of  CPPM 6.2 and IAP

The IAP must be on 3.3 code for this setup to work.


Below are the detailed Configuration steps.

1: Configuration on the IAP

1a: Add CPPM as a radius server on IAP.

Navigate to "Security - Authentication Servers" and add the below details.





1b: Create Roles on IAP.

Navigate to  "Security -> Roles"

Create a Preauth role as below. The client will initially fall into this role after authentication. This is a general captive Portal role with HTTP and HTTPS access to the CPPM server and Enforce Captive Portal.


rtaImage (1).png



To Add "Enforce Captive Portal" click on "New" and add the captive portal rule as below.

The URL is the Device_provisioning page on the CP Guest : /guest/landing.php/device_provisioning.php

For Android devices, we must provide access to  the IP of Google play store in the Preauth Role.

The Redirect URL is Optional.


rtaImage (2).png



1c: Create a Dot1X SSID with the below specifications.

Give a generic name to the SSID and select the Primary usage as " Employee".


rtaImage (3).png

We can use configure this based on the network requirements.


rtaImage (4).png



Map the CPPM server as Authentication Server and select the Key management as " WPA-2 Enterprise".


rtaImage (5).png


On this page, we will see a Role "onboard-single" created by default. We will need to add Aruba-User-Roles for this specific Role.

Add two Aruba user roles as " Aruba-User-Role <-> contains <-> Q-Preauth then Role = Q-Preauth".

And " Aruba-User-Role <-> contains <-> Onboard-single then Role = Onboard-single".


rtaImage (6).png



Make sure that the Order is set as below.


rtaImage (7).png



Hit "Finish" to save the the configuration.

This Completes the Configuration of the IAP.

2: Configuration Of Clear Pass Guest.

Navigate to " Home » Onboard + WorkSpace » Onboard/MDM Configuration » Network Settings"

Click on the "Example networks" and select "Edit"


rtaImage (8).png


Please configure this page as per details below or your requirements.


rtaImage (9).png



Make sure that the SSID field contains the exact SSID name.
 We can leave the other tabs in this page as Default.

Navigate to " Home » Onboard + WorkSpace » Deployment and Provisioning » Provisioning Settings"

and select "Provisioning Address:" as the correct interface. In this test condition we are using themanagement port.

As in this lab setup, we do not have a proper certificate installed, so we are disabling the validate certificate option.


rtaImage (10).png



All the other configuration may be left as default.

This completes the CP Guest Configuration.

3: Configuration on CPPM.

Make sure that the IAP is added a NAD on CPPM.

 Navigate to "Configuration » Service Templates" and select the Default "Onboard Authorization" template.



Give a generic name for user understanding and select the Wireless Controller from the Drop down and provide the SSID name and click "Add Service".

It will automatically create two services as below.


rtaImage (12).png


The First Service is: Single-SSID Onboard Authorization -  RADIUS Enforcement ( Generic )

     -We can leave this service with the defult configuration. If required we can add Active directory as an authentication source also.


rtaImage (13).png


The Second Service created is " Single-SSID Onboard Provisioning" is a "Aruba 802.1X Wireless"service.

    - We will need to edit the enforcement profiles in this service.

Navigate to "Configuration » Enforcement » Profiles" and apply a filter as below.


rtaImage (14).png

Edit the "Single-SSID Onboard Post-Provisioning" as below.

Add the Post provisioning Role  name in the Attributes tab and save the Profile.


rtaImage (15).png


Edit the "Single-SSID Onboard Pre-Provisioning" as below.

Add the Pre provisioning Role name in the Attributes tab and save the Profile.


rtaImage (16).png


Save and exit . The above two prfiles are mapped to the service, so making changes here will reflect on the service as well.

Create a Guest user on CPPM.

Navigate to "Configuration » Identity » Guest Users" and click on " Add Guest User" to add a new guest user.


rtaImage (17).png


Hit Add to add the user.

This completes the configuration on CPPM.


Connect a Device to the SSID.

In this test condition, we use an Android smart phone.

The guest user name is "onboard"

Connect the device to the SSID and authenticate yourself. once authentication is complete, we get an IP to the device. Fire up a browser and it should redirected to the Device Provisioning page.

Below is the Access tracker details.

rtaImage (18).png

Version history
Revision #:
1 of 1
Last update:
‎07-17-2014 08:24 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: