Hi all,
My SE and I have been working on implementing a ClearPass solution to the dilemma of using shared student iPads (and other devices, but I'll just say "iPads" from here on out) on our district network. The issue is that we don't want to connect to our WPA2-Enterprise network using a student's username and password, since the iPad remembers the credentials. We are using an eval license of ClearPass to test this, but we've had mixed results.
Here's what I want to accomplish:
- Allow a site tech to onboard the device using a ClearPass URL.
- Have the device receive a certificate from AD or ClearPass (not sure which one they actually get).
- Future connections from the device will be authenticated using the certificate, NOT a username.
Here is what is actually happening:
- Browse to ClearPass URL
- Install root certificate
- Enter username and password
- Install provisioning certificate (I guess that's what you call it), which includes a profile on the iPad containing a new SSID
- Connect to new SSID
The problem is that, on my local Aruba controller, when I do a "show user-table", I see the connection still referencing a username:
(do-aruba3600local-1) #show user-table | include CPPM
20.1.12.145 fc:25:3f:b6:fe:53 1879001 authenticated 00:00:08 802.1x DO_IT_AP Wireless PUSD-CPPM/00:24:6c:ab:4b:a9/a-HT PUSD-CPPM-Dot1x-AAA-Profile tunnel iPad
In this example, "PUSD-CPPM" is the SSID that I reconnect to after installing the profiles, and "1879001" is the user ID that I used during the onboarding.
My SE and I are both at a loss to explain why we're still seeing the username.
Also, I have defined a role on the Aruba controller called "StaffAccess", which is what I want the devices to be placed into, but I haven't figured out how to get that going, either. They're landing in the "authenticated" role instead.
Any advice, suggestions, etc.? I can provide additional info if needed, but I didn't know what else might be needed.
Thanks!