SIngle SSID Onboard using Aruba Controller
This Article explains about-
i) adding the Aruba controller as NAD device.
ii) Integrating Aruba Controller with CPPM to perform onboard provisioning.
iii) Configuring service on CPPM to handle the Onboard request.
iv) Configuring the Guest part of CPPM.
Environment : This Article is written for CPPM 6.2.0 and greater.
Below are the detailed steps.
1: Adding Aruba Controller as NAD device on CPPM.
Navigate to Configuration > Network > Devices
Click Add Device
Add the device as shown below.
Make sure that we configure the same Radius Shared secret on the controller as well.
2: Integrate Aruba Controller with CPPM for Onboard provisioning.
-> Add a server group on the Controller
Navigate to Security > Authentication > Servers
Add a new Radius Server.
Enter the IP of the CPPM or a generic name to identify the CPPM server and hit " Add"
After adding, the CPPM server will show in the list.
Click on the entry and modify the below.
Make sure that the Host field has the IP/host name of the CPPM and the Key is same as radius secret key in step 1.
-> Map this server to a server group.
Create a new Server group and add the entry of CPPM to it.
Add a RFC -3576 Server.
Navigate to "RFC 3576 Server".
The key MUST match with the radius keys in the step above.
Navigate to "Security > Authentication > L2 Authentication" and add a new dot 1 x profile.
Navigate to "Security > Authentication > Profiles" and create a new AAA profile for authentication.
Make sure that the initial role is "Logon". It is important because this role will be matched on the CPPM for device provisioning.
Map this AAA to the below groups/profiles.
MAC Authentication Server Group default
802.1X Authentication Onboard.1x ( this is the dot1x profile created in above step)
802.1X Authentication Server Group Onboard-grp ( Radius Server Group)
RADIUS Accounting Server Group Onboard-grp ( Radius Server Group)
Add a Captive Portal profile on the controller.
Navige to "Security > Authentication > L3 Authentication".
Map the correct Server group to the Captive portal Profile and add the Login page url as"http://IP_Address_Of_CPPM/guest/device_provisioning.php"
Edit the "Logon" Role.
Navige to "Security > Access Control > User Roles" and edit the "Logon" Role.
Make sure that the Firewall policies are as below.
HTTP/HTTPS connectivity should be added to CPPM server.
Add the default Captive Portal Policy also.
Scroll down this page and map this Role to the already created Captive Profile Policy.
Create a new dot1 x VAP and SSID.
Navigte to "Configuration > AP Group " and edit the AP group in which you would want to add the SSID .
Create a new Virtual AP ( VAP) profile.
Map it to specific Vlan and the AAA profiel should be the created by us for crete a new SSID as below.
This completes the configuration on the controller.
3: Create Onboard service on the CPPM.
Navigate to "Configuration » Service Templates" and Select the Onboard Template.
After selecting, add a service with the below details.
Make sure that the SSID name exactly matches with the SSID configured on the Controller.
Once we save the settings, it will create two new services as below.
Edit the first service : Lab-Onboard Onboard Authorization
Add two new Authentication Sources as below.
The Second Service created is " Lab-Onboard Onboard Provisioning" is a "Aruba 802.1X Wireless"service.
- We will need to edit the enforcement profiles in this service.
Navigate to "Configuration » Enforcement » Profiles » Edit Enforcement Profile - Lab-Onboard Onboard Pre-Provisioning" and edit the pre provisioning Policy.
The name would contain the string "Onboard Pre-Provisioning".
Change the Attribute from "BYOD- provisioning " to "Logon".
Create a Guest user on CPPM.
Navigate to "Configuration » Identity » Guest Users" and click on " Add Guest User" to add a new guest user.
Hit Add to add the user.
This completes the configuration on CPPM.
4: Configuration Of Clear Pass Guest.
Navigate to " Home » Onboard + WorkSpace » Onboard/MDM Configuration » Network Settings"
Click on the "Example networks" and select "Edit".
Please configure this page as per details below or your requirements.
Make sure that the SSID field contains the exact SSID name.
We can leave the other tabs in this page as Default.
Navigate to " Home » Onboard + WorkSpace » Deployment and Provisioning » Provisioning Settings"
and select "Provisioning Address:" as the correct interface. In this test condition we are using themanagement port.
As in this lab setup, we do not have a proper certificate installed, so we are disabling the validate certificate option.
All the other configuration may be left as default.
This completes the CP Guest Configuration.