Security

Hi all,

This is my first time attempting to do onboarding using clearpass. Quite lost how I should actually start.

I went thru the onboarding deployment guide. It taught the steps to create the certs and configure the provisioning settings. I am using the clearpass with aruba controllers to do 802.1x and ma authentication.

Is there any tutorials or guide that show the whole steps/process from what I should configure on the policy manager and onboard?

1) what should I configure on the policy manager such that it detects that it is a BYOD device and directs the user to a login page to do onboarding. Do I need to enable profiling? Will I need to return multiple services and what kind of enforcement profiles and roles/attributes should I be returning?
2) I have created a few ad groups(a group that allows user to onboard multiple devices and a group that allows only 1 onboarding of 1 device)
3) should I be creating a role that restrict why byod devices can access after successful provisioning)?

Any documents that can guide/teach me would be greatly appreciated.

I have gone thru the policy manager guide, the onboard deployment guide .

Thanks in advance.

Victorwlt,

 

Onboarding and ClearPass Policy Manager itself have many options and many ways to configure it.  The important thing is to know what you need it for, form a business policy around it, and then you will have a concrete direction.  In general, Onboard is designed to give unique credentials to devices like smartphones where 802.1x would only have them using a regular username and password.  Later, if the user leaves the company, you can disable their AD account and none of their BYOD devices will work.  If they lose a BYOD device the individual device can also be disabled.

 

With that being said, what environment do you have and what is your goal?

 

Hi Colin,

 

thanks for your reply.

 

I have a ssid which corporate laptops will be using for 802.1x authentication. Should users use their android/ios/macbook devices to connect, they should be directed to a provisioning page to do onboarding. Once onboarded, those devices will have limited access to corporate networks. Those devices will be managed by mobile iron once onboarded.

 

I have configured the services for the corporate laptop 802.1x authentication with role assignment. Should I be using the same service to determine if it is a byod device? How do I configure the policy manager to determine that it is a BYOD device and direct it to the captive portal? Do I need to enable the profiler for the policy manager to categorise the devices?

 

 

Are these corporate devices Windows devices that will be doing machine authentication to your domain?

Hi Tim,

The corporate devices are windows machine that will be doing machine and user authentications. The user authentication is working at the moment for these windows devices. Can't test machine authentication as the AD is not ready.

The confusing part are those non-corporate devices like iPads/android tablets/MacBook etc. how do I configure the clear pass to detect them and direct them to the onboarding page?

First: Add ClearPass as IP Helpers under the Wireless VLANs, this will allow you to profile and get device OS information

Second: Add Endpoint Repository as an Authorization Source

Third: Add device Category and OS Family as "Roles"

Fourth: In your enforcement policy use these to redirect users to the onboard page:

Here's the basic you need in your enforcement profile:

 

 

You can use this as a baseline and then add more granular context with AD groups, etc.

Hi Guys,

Thanks for spending your Saturday helping a noob like me.

I understand slightly now.

The end profiler is needed to categorize the devices.

So I should just add the endpoint repository as an authorization source to the my existing 802.1x service?

The device_category and device_family can be used as as a condition. The enforcement policy will determine that if it is a "smartdevice" I should redirect the user to the provisioning page. For my case, I should check whether the user is authenticated and another condition that user is eligible to do byod onboarding based on the ad group the use ID is in.

I dun have the clear pass with me now. Is the enforcement profile "home onboard redirect role" an enforcement profile template or was it created manually? What was set for that profile if it was created manually? Was Tim's enforcement profile what I should be setting if the profile was created manually?

Which step will cause the byod device to be redirected to the provisioning page?

Can I know if there are any materials if I should be referring to do learn more about the setup?

I usually always add the endpoint repository as an authorization source.

 

The ONBOARD-ENROLL enforcement policy just returns that role to the controller. On the controller you'd need to create a new user-role with the same name and attach a captive portal profile with the URL of the the onboard enrollment page.

 

You'll want to check for Authentication:OuterMethod = EAP-PEAP and Authorization:AD:Groups EQUALS Onboard-Group-Name and then return the ONBOARD-ENROLL role to the controller. This just says if you're using username and password to authentication (instead of a certificate) and you're a member of the approved group, then send you to the onboard enrollment page.

 

I created these profiles manually. You can also check out https://ase.arubanetworks.com. It's a wizard based engine that can create controller configurations based on your ClearPass requirements.

 

 

Captive portal is something I have not done before. Let me go read up and try it out. Will update back here again.

Thanks for all the generous guidance :)

can i suggest you consider multiple ssids. the use cases are quite different for corporate devices and byod, even if they end up on the same controller role via different enforcement policy. having different ssids and specifically matching a service to each does simplify some if the logic. if nothing else it's easier to document and explain to others

The requirement from the customer was a single ssid for onboarding BYOD, onboarded BYOD and non-BYOD corporate laptops, so i can't do multiple SSIDs for these features. To connect to that SSID, users are using 802.1X authentication.

 

I had created the following service

 

 

I will have users in 3 separate security groups(User, Hospital, IT). The first 3 conditions will provide user with a non-onboarded role for full access to the network. It am testing on the IT roles at the moment. If user is using a smart device, belongs to the BYOD_IT grouping and is not using EAP-TLS, the will be assigned to a pre-provisioned role (BYOD_IT).

 

Now in captive portal, I will create a matching role.

 

Captive portal profile is as below.

 

When users attempt access any webpage thru their non-onboarded BYOD on iPAD, they are directed to the clearpass URL provisioning URL but the page shows "Safari cannot open the page because too many redirects occured".  the ipad was assigned the preprovisioned role of BYOD_IT correctly. Why am I not able to see the provisioning page?

 

I had tried removing the captive portal profile and for the BYOD_IT role and provided a allowall policy without the captive-portal policy, I am able to see the provisioning page. However I will a a profile installation failed when I attempted to install the device profile, I am in the midst of downloading the latest cumulative patch to see if it resolves the profile installation problem.

 

 

Try unchecking the guest and user login boxes in you captive portal profile.

Also, are you using the ClearPass URL with landing.php ?

Sent from Windows Mail

Ok. Thanks. Will try that. But why is there a redirection loop?

My URL does not have the landing.php.

The URL is http://(clearpass IP address)/guest/civetcat_provisioning.php?mdps=4. I didn't have a DNS server so I was trying to get redirected to the page using a random IP address to trigger the captive portal.

The URL becomes a long string of text after I I got the error. The parameters(e.g. Ap group) in the URL repeat a number of times.

Hi all,

 

I have gotten the redirection working. It had something to do with my policies.

 

Now I have another query. My android phone after going to the provisioning page and authenticating successfully is redirected to install the Network Profile.

 

When installing, I get the error

"There was an error in configuring your device. This device is not authorized to use this service. Server rejected authorization: Invalid username or password."

 

I checked the access tracker and there seemed to be another authentication attempt while the phone was attempting to install the network profile.

 

 

 

 

 

 

 

Why am i getting the error of invalid username and password even though my authentication on the provisioning page was successful?

 

Should i be creating another service to cater for the installation of network profile?

 

Thanks.

Do you have an Onboard authentication and Onboard authorization service?

Hi tim,

I didn't. I do not have the clearpass with me now. I had attempted to use one service for everything. The plan was to have multiple conditions.

1) if not smart device, belongs to a pre-provisioned role, assign a laptop user role
2) if smart device, belongs to a pre-provisioned role and not using eap-tls, assign a preprovisioned role
3) if smart device, belongs to a pre-provisioned role and using eap-tls, assign a preprovisioned role

Would that suffice?

You still need two services to handle the application authentication piece of the Onboard process. I would use the service template for Onboard.

Hi Tim,

Noted. Will try that out once I get access to it again.

Thanks.

Hi all,

 

I had tried using the service template for the Onboarding service but I am still getting the "Profile Installation Failed - A connection to the server could not be establised." error on IOS and "server rejected authorization:Invalid username or password" on Android.

 

3 Services were created when i used the template

 

Onboard_Web_Login was a service I created to authenticate the IOS-BYOD user credentials on captive portal.

 

The access tracker still shows that Service Categorization Failed. I am using the clearpass as the cert authority and i have another clearpass appliance forming a cluster with this.

 

I have added the "Local User Repository" to the authentication source for all the services. The Pre-Provisioning enforcement policy returns a Aruba-User-Role of 'BYOD-Provision'. I have amended it to a role i created as I did not see any BYOD-PROVISION role in the controller.

 

Could someone enlighten me on what I could have done wrongly?

 

Thanks.

Double check the SSID name in the services and make sure it matches exactly.

Also if you are using CPPM as the root ca and don't have a publicly signed cert for the HTTPS you need to disable the require https on both the controller and CPPM.

Hi all,

 

Logged a case with TAC and they managed to resolve my issue. It was a misconfiguration on my part I had chosen radius instead of AppAuth for the onboard authorisation.

 

As I am not using a public cert and the self-signed cert from the onboard module was not imported to the policy manager, when my ipad tries to authenticate, it fails.

 

TAC is helping to confirm the error. Solution was to perhaps use the cert from the onboard module.

 

I have got another query. My enforcement policy is not treating my ipad as a smart device and is getting the AUTH_LAPTOP role. The aim is to not to apply onboarding for windows laptop but allow onboarding for MAC OS, ipad, android etc.. I could perhaps use a condition that requires successful user and machine authentication to enforce this but AD is not ready yet. I am using a local account to authenticate and thus am unable to use machine authentication as one of the conditions. Any workaround for this?

 

 

Thanks.

 

Thanks all for your help.

 

I have manged to get the BYOD working with the help from this forum and support :)