Summary
This solution configures an 802.1X SSID on an Aruba Controller designed for integration with ClearPass Onboard under the Single SSID model. With this single SSID model, the clients first join the SSID by specifying their username and password, which is usually their corporate username/password stored on an Active Directory. If the client's initial username/password authentication is successful, that client will get a captive portal to provision their device using ClearPass Onboard. After the provisioning process, the device can then automatically reconnect back to the same SSID and get elevated access privileges by authenticating with their newly provisioned Onboard credentials. The credentials can be in the form of a unique username/password for EAP-PEAP authentication or can be a client certificate for EAP-TLS authentication. Therefore, one benefit of ClearPass Onboard is that each device has unique device credentials that can be revoked at any time (if a device is lost, employment terminated, etc.). For more details on ClearPass Onboard including configuration help, see the ClearPass Guest Deployment Guide [1] and the ClearPass Policy Manager User Guide [2].
The 802.1X SSID that this solution creates has many small configuration options hard coded that aren't normally configured in a generic 802.1X SSID. Each hard coded configuration option helps prevent common issues with Onboard integration. Read over both the configuration notes and the inline comments to understand what gets configured and why.
Onboard Network Architecture
Platform Tested
Aruba Mobility Controller 3400 running AOS 6.2.0.3 and ClearPass Policy Manager running 6.2.0.54353. This solution documents configuration for ClearPass 6.2 which should be applicable to ClearPass 6.0 and 6.1. Although the 802.1X SSID can be used for Onboard in CPG 3.9, the notes in this solution may not directly apply.
This is a list of client test devices which have been successfully provisioned using the controller configuration generated by this solution:
- Windows 7 64-bit
- iPhone 5 w/ 6.1.4 (10B350)
- Android HTC One X w/ Android 4.1.1
- Macbook Air (mid 2011) w/ OS X 10.8.4
Configuration Notes
ClearPass Guest and ClearPass Policy Manager will need to be configured before Onboard provisioning will work. See the ClearPass Guest Deployment Guide [1] and ClearPass Policy Manager User Guide [2] for more details. The Instructions to Apply section in this tutorial will go over some of the very basics that need to be configured.
AOS devices has a 63 character limit for profile names. When entering values for profile prefix and profile name, ensure that the total length will not exceed 63 characters after taking into account all derived profile names. For example, if there is a profile in the configuration called "%gen_prefix%-%profile_name%-auth", ensure that the two variables plus the 6 static characters don't exceed 63 characters.
Android devices will need to download the QuickConnect app from the Google Play store as part of the Onboard provisioning process. The play store uses a combination of ports 80 (HTTP) and 443 (HTTPS) to download and display content. In order for the clients to access the Play store over both ports, an ACL was created which allows HTTP/HTTPS access to "android.clients.google.com" and "ggpht.com". The ACL gets placed in the logon role.
Similarly, iOS devices need access to apple.com during its network connectivity test. If this test fails, the Captive Network Assistant (CNA) will pop up on the iOS device immediately after connecting to the SSID. The CNA is not a full browser which makes Onboard provisioning inoperable. This CNA must be bypassed and to do so, this solution leverages ClearPass Guest's ability to spoof the CNA connectivity test with "landing.php". To use this, the redirect URL will be set to /guest/landing.php/device_provisioning.php to make this work. Alternatively, "apple.com" could be added to an ACL in the logon role similar to Google Play store ACL.
The solution allows you to configure the redirect to ClearPass Guest over an IP address although it is not recommended. It is instead recommended to give the solution a valid FQDN for ClearPass so the redirect can use that hostname. A captive portal redirect to an IP address will almost certainly lead to certificate trust issues.
Two user roles get created, one for the pre-provisioned clients and one for the post-provisioned clients. The pre-provisioned user role ("%gen_prefix%-%profile_name%-logon") has the captive portal profile attached to it and will be automatically applied to successfully authenticated 802.1X clients. The post-provisioned user role ("%gen_prefix%-%profile_name%-auth") gets defined but does not get used by the controller configuration by itself. A ClearPass Policy Manager Service must be configured to return back the post-provisioned user role for users that authenticate with Onboard credentials. See the notes in "Instructions to Apply" for more information. Warning: the post-provisioned user role has no network access restrictions. Please adjust this role according to your desired network policy.
Licensing
Access Point and PEF Licenses.
References