Security

Reply
Contributor II

Re: Byod setup (onboard and policy manager setup)

can i suggest you consider multiple ssids. the use cases are quite different for corporate devices and byod, even if they end up on the same controller role via different enforcement policy. having different ssids and specifically matching a service to each does simplify some if the logic. if nothing else it's easier to document and explain to others
Occasional Contributor II

Re: Byod setup (onboard and policy manager setup)

The requirement from the customer was a single ssid for onboarding BYOD, onboarded BYOD and non-BYOD corporate laptops, so i can't do multiple SSIDs for these features. To connect to that SSID, users are using 802.1X authentication.

 

I had created the following service

 

Service.png

 

I will have users in 3 separate security groups(User, Hospital, IT). The first 3 conditions will provide user with a non-onboarded role for full access to the network. It am testing on the IT roles at the moment. If user is using a smart device, belongs to the BYOD_IT grouping and is not using EAP-TLS, the will be assigned to a pre-provisioned role (BYOD_IT).

 

Now in captive portal, I will create a matching role.

Role.PNG

 

Captive portal profile is as below.

CP Profile.png

 

When users attempt access any webpage thru their non-onboarded BYOD on iPAD, they are directed to the clearpass URL provisioning URL but the page shows "Safari cannot open the page because too many redirects occured".  the ipad was assigned the preprovisioned role of BYOD_IT correctly. Why am I not able to see the provisioning page?

 

I had tried removing the captive portal profile and for the BYOD_IT role and provided a allowall policy without the captive-portal policy, I am able to see the provisioning page. However I will a a profile installation failed when I attempted to install the device profile, I am in the midst of downloading the latest cumulative patch to see if it resolves the profile installation problem.

 

 

Guru Elite

Re: Byod setup (onboard and policy manager setup)

Try unchecking the guest and user login boxes in you captive portal profile.

Also, are you using the ClearPass URL with landing.php ?

Sent from Windows Mail

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Byod setup (onboard and policy manager setup)

Ok. Thanks. Will try that. But why is there a redirection loop?

My URL does not have the landing.php.

The URL is http://(clearpass IP address)/guest/civetcat_provisioning.php?mdps=4. I didn't have a DNS server so I was trying to get redirected to the page using a random IP address to trigger the captive portal.

The URL becomes a long string of text after I I got the error. The parameters(e.g. Ap group) in the URL repeat a number of times.
Occasional Contributor II

Re: Byod setup (onboard and policy manager setup)

Hi all,

 

I have gotten the redirection working. It had something to do with my policies.

 

Now I have another query. My android phone after going to the provisioning page and authenticating successfully is redirected to install the Network Profile.

 

When installing, I get the error

"There was an error in configuring your device. This device is not authorized to use this service. Server rejected authorization: Invalid username or password."

 

I checked the access tracker and there seemed to be another authentication attempt while the phone was attempting to install the network profile.

 

Request Details - Summary.PNG

 

Request Details - Input 1.PNG

 

Request Details - Input 2.PNG

 

Request Details - Input 3.PNG

 

Request Details - Output.PNG

 

Request Details - Alerts.PNG

 

Why am i getting the error of invalid username and password even though my authentication on the provisioning page was successful?

 

Should i be creating another service to cater for the installation of network profile?

 

Thanks.

Guru Elite

Re: Byod setup (onboard and policy manager setup)

Do you have an Onboard authentication and Onboard authorization service?


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Byod setup (onboard and policy manager setup)

Hi tim,

I didn't. I do not have the clearpass with me now. I had attempted to use one service for everything. The plan was to have multiple conditions.

1) if not smart device, belongs to a pre-provisioned role, assign a laptop user role
2) if smart device, belongs to a pre-provisioned role and not using eap-tls, assign a preprovisioned role
3) if smart device, belongs to a pre-provisioned role and using eap-tls, assign a preprovisioned role

Would that suffice?
Guru Elite

Re: Byod setup (onboard and policy manager setup)

You still need two services to handle the application authentication piece of the Onboard process. I would use the service template for Onboard.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Byod setup (onboard and policy manager setup)

Hi Tim,

Noted. Will try that out once I get access to it again.

Thanks.
Occasional Contributor II

Re: Byod setup (onboard and policy manager setup)

Hi all,

 

I had tried using the service template for the Onboarding service but I am still getting the "Profile Installation Failed - A connection to the server could not be establised." error on IOS and "server rejected authorization:Invalid username or password" on Android.

 

3 Services were created when i used the template

Onboard Service Template.png

 

Onboard_Web_Login was a service I created to authenticate the IOS-BYOD user credentials on captive portal.

 

The access tracker still shows that Service Categorization Failed. I am using the clearpass as the cert authority and i have another clearpass appliance forming a cluster with this.

 

I have added the "Local User Repository" to the authentication source for all the services. The Pre-Provisioning enforcement policy returns a Aruba-User-Role of 'BYOD-Provision'. I have amended it to a role i created as I did not see any BYOD-PROVISION role in the controller.

 

Could someone enlighten me on what I could have done wrongly?

 

Thanks.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: