Occasional Contributor II

Byod setup (onboard and policy manager setup)

Hi all,

This is my first time attempting to do onboarding using clearpass. Quite lost how I should actually start.

I went thru the onboarding deployment guide. It taught the steps to create the certs and configure the provisioning settings. I am using the clearpass with aruba controllers to do 802.1x and ma authentication.

Is there any tutorials or guide that show the whole steps/process from what I should configure on the policy manager and onboard?

1) what should I configure on the policy manager such that it detects that it is a BYOD device and directs the user to a login page to do onboarding. Do I need to enable profiling? Will I need to return multiple services and what kind of enforcement profiles and roles/attributes should I be returning?
2) I have created a few ad groups(a group that allows user to onboard multiple devices and a group that allows only 1 onboarding of 1 device)
3) should I be creating a role that restrict why byod devices can access after successful provisioning)?

Any documents that can guide/teach me would be greatly appreciated.

I have gone thru the policy manager guide, the onboard deployment guide .

Thanks in advance.
Guru Elite

Re: Byod setup (onboard and policy manager setup)



Onboarding and ClearPass Policy Manager itself have many options and many ways to configure it.  The important thing is to know what you need it for, form a business policy around it, and then you will have a concrete direction.  In general, Onboard is designed to give unique credentials to devices like smartphones where 802.1x would only have them using a regular username and password.  Later, if the user leaves the company, you can disable their AD account and none of their BYOD devices will work.  If they lose a BYOD device the individual device can also be disabled.


With that being said, what environment do you have and what is your goal?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: Byod setup (onboard and policy manager setup)

Hi Colin,


thanks for your reply.


I have a ssid which corporate laptops will be using for 802.1x authentication. Should users use their android/ios/macbook devices to connect, they should be directed to a provisioning page to do onboarding. Once onboarded, those devices will have limited access to corporate networks. Those devices will be managed by mobile iron once onboarded.


I have configured the services for the corporate laptop 802.1x authentication with role assignment. Should I be using the same service to determine if it is a byod device? How do I configure the policy manager to determine that it is a BYOD device and direct it to the captive portal? Do I need to enable the profiler for the policy manager to categorise the devices?



Guru Elite

Re: Byod setup (onboard and policy manager setup)

Are these corporate devices Windows devices that will be doing machine authentication to your domain?

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Byod setup (onboard and policy manager setup)

Hi Tim,

The corporate devices are windows machine that will be doing machine and user authentications. The user authentication is working at the moment for these windows devices. Can't test machine authentication as the AD is not ready.

The confusing part are those non-corporate devices like iPads/android tablets/MacBook etc. how do I configure the clear pass to detect them and direct them to the onboarding page?

Re: Byod setup (onboard and policy manager setup)

First: Add ClearPass as IP Helpers under the Wireless VLANs, this will allow you to profile and get device OS information

2014-06-21 11_21_16-Chrome Remote Desktop.png

Second: Add Endpoint Repository as an Authorization Source

Third: Add device Category and OS Family as "Roles"

2014-06-21 11_15_38-Chrome Remote Desktop.png

Fourth: In your enforcement policy use these to redirect users to the onboard page:

2014-06-21 11_19_15-Chrome Remote Desktop.png

Thank you

Victor Fabian
Lead Mobility Architect @WEI
Guru Elite

Re: Byod setup (onboard and policy manager setup)

Here's the basic you need in your enforcement profile:




You can use this as a baseline and then add more granular context with AD groups, etc.

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Byod setup (onboard and policy manager setup)

Hi Guys,

Thanks for spending your Saturday helping a noob like me.

I understand slightly now.

The end profiler is needed to categorize the devices.

So I should just add the endpoint repository as an authorization source to the my existing 802.1x service?

The device_category and device_family can be used as as a condition. The enforcement policy will determine that if it is a "smartdevice" I should redirect the user to the provisioning page. For my case, I should check whether the user is authenticated and another condition that user is eligible to do byod onboarding based on the ad group the use ID is in.

I dun have the clear pass with me now. Is the enforcement profile "home onboard redirect role" an enforcement profile template or was it created manually? What was set for that profile if it was created manually? Was Tim's enforcement profile what I should be setting if the profile was created manually?

Which step will cause the byod device to be redirected to the provisioning page?

Can I know if there are any materials if I should be referring to do learn more about the setup?

Guru Elite

Re: Byod setup (onboard and policy manager setup)

I usually always add the endpoint repository as an authorization source.


The ONBOARD-ENROLL enforcement policy just returns that role to the controller. On the controller you'd need to create a new user-role with the same name and attach a captive portal profile with the URL of the the onboard enrollment page.


You'll want to check for Authentication:OuterMethod = EAP-PEAP and Authorization:AD:Groups EQUALS Onboard-Group-Name and then return the ONBOARD-ENROLL role to the controller. This just says if you're using username and password to authentication (instead of a certificate) and you're a member of the approved group, then send you to the onboard enrollment page.


I created these profiles manually. You can also check out It's a wizard based engine that can create controller configurations based on your ClearPass requirements.



Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Byod setup (onboard and policy manager setup)

Captive portal is something I have not done before. Let me go read up and try it out. Will update back here again.

Thanks for all the generous guidance :)
Search Airheads
Showing results for 
Search instead for 
Did you mean: