Create a single secure SSID on IAP to integrate with ClearPass Onboard
This solution configures an 802.1X SSID on an Aruba Instant Access Point (IAP). The 802.1X SSID is designed for integration with ClearPass Onboard under the Single SSID model. With this single SSID model, the clients first join the SSID by specifying their username and password, which is usually their corporate username/password stored on an Active Directory. If the client's initial username/password authentication is successful, that client will get a captive portal to provision their device using ClearPass Onboard. After the provisioning process, the device can then automatically reconnect back to the same SSID and get elevated access privileges by authenticating with their newly provisioned Onboard credentials. The credentials can be in the form of a unique username/password for EAP-PEAP authentication or can be a client certificate for EAP-TLS authentication. Therefore, one benefit of ClearPass Onboard is that each device has unique device credentials that can be revoked at any time (if a device is lost, employment terminated, etc.). For more details on ClearPass Onboard including configuration help, see the ClearPass Guest Deployment Guide  and the ClearPass Policy Manager User Guide .
The 802.1X SSID that this solution creates has many small configuration options hard coded that aren't normally configured in a generic 802.1X SSID. Each hard coded configuration option helps prevent common issues with Onboard integration. Read over both the configuration notes and the inline comments to understand what gets configured and why.
Onboard Network Architecture
Aruba Instant Access Point 135 running 188.8.131.52-184.108.40.206 and ClearPass Guest running 220.127.116.11353. This solution documents configuration for ClearPass 6.2 which should be applicable to ClearPass 6.0 and 6.1. Although the 802.1X SSID can be used for Onboard in CPG 3.9, the notes in this solution may not directly apply.
This is a list of client test devices which were successfully provisioned using the IAP configuration generated by this solution:
- Windows 7 64-bit
- iPhone 5 w/ 6.1.4 (10B350)
- Android HTC One X w/ Android 4.1.1
- Macbook Air (mid 2011) w/ OS X 10.8.4
IAP version 18.104.22.168-3.3 and above is required. Version 3.3 added the ability to configure access rules to enforce Captive portal authentication for an SSID that has 802.1X authentication enabled. Single-SSID Onboard requires a 802.1X enabled network with captive portal enabled for non-provisioned devices.
ClearPass Guest and ClearPass Policy Manager will need to be configured before Onboard provisioning will work. See ClearPass Guest Deployment Guide  and ClearPass Policy Manager User Guide  for more details. The Instructions to Apply section in this tutorial will go over some of the very basics that need to be configured.
IAP has a 32 character limit for profile names. When entering values for profile prefix and profile name, ensure that the total length will not exceed 32 characters after taking into account all derived profile names. For example, if there is a profile in the configuration called "%gen_prefix%-%profile_name%-auth", ensure that the two variables plus the 6 static characters doesn't exceed 32 characters.
The external captive portal redirect will be configured on IAP for port 80. On ClearPass Guest, enable the option to "Require HTTPS for guest access" at Configuration -> Authentication. The combination of these two settings will automatically convert captive portal redirects from HTTP (port 80) to HTTPS (port 443). It is suggested to follow this redirection process on IAP to prevent redirection issues caused by the IAP's proxy.
Android devices will need to download the QuickConnect app from the Google Play store as part of the Onboard provisioning process. The play store uses a combination of ports 80 (HTTP) and 443 (HTTPS) to download and display content. In order for the clients to access the Play store over port 443, several of Google's network ranges will be allowed in the provisioning user role. For port 80 access, the hosts "android.clients.google.com" and "ggpht.com" will be added to IAP's walled garden whitelist. By using the whitelist feature in combination with the user role access rules, clients will be redirected to the Onboard page when trying to access www.google.com but will not be redirected when accessing www.gmail.com since Gmail uses HTTPS. A future IAP version is planned to better support walled garden whitelists to eliminate the need for allowing Google's network ranges on port 443.
Similarly, iOS devices need access to apple.com during its network connectivity test. If this test fails, the Captive Network Assistant (CNA) will pop up on the iOS device immediately after connecting to the SSID. The CNA is not a full browser which makes Onboard provisioning inoperable. This CNA must be bypassed and to do so, this solution leverages ClearPass Guest's ability to spoof the CNA connectivity test with "landing.php". To use this, the redirect URL will be set to /guest/landing.php/device_provisioning.php to make this work. Alternatively, ".*apple.com.*" could be added to the walled garden whitelist.
RADIUS accounting will be enabled but RADIUS interim accounting will not be. This can be manually enabled by adding the line "radius-interim-accounting-interval <minutes>". Only enable if you plan to make use of the additional data that will be sent.
The solution allows you to configure the redirect to the ClearPass Guest over an IP address although it is not recommended. It is instead recommended to give the solution a valid FQDN for ClearPass so the redirect can use that hostname. A captive portal redirect to an IP address will almost certainly lead to certificate trust issues.
Two user roles get created, one for the pre-provisioned clients and one for the post-provisioned clients. The pre-provisioned user role ("%gen_prefix%-%profile_name%") has the captive portal profile attached to it and will be automatically applied to successfully authenticated 802.1X clients. The post-provisioned user role ("%gen_prefix%-%profile_name%-auth") gets defined but does not get used by the IAP configuration by itself. A ClearPass Policy Manager Service must be configured to return back the post-provisioned user role for users that authenticate with Onboard credentials. See the notes in "Instructions to Apply" for more information. Warning: the post-provisioned user role has no network access restrictions. Please adjust this role according to your desired network policy.
No special licenses required on the IAP. ClearPass Policy Manager requires either an Enterprise type license or an Onboard type license for each provisioned device.