Contributor II

ClearPass onboarding of shared devices without tying to specific username

Hi all,


My SE and I have been working on implementing a ClearPass solution to the dilemma of using shared student iPads (and other devices, but I'll just say "iPads" from here on out) on our district network.  The issue is that we don't want to connect to our WPA2-Enterprise network using a student's username and password, since the iPad remembers the credentials.  We are using an eval license of ClearPass to test this, but we've had mixed results.


Here's what I want to accomplish:


  • Allow a site tech to onboard the device using a ClearPass URL.
  • Have the device receive a certificate from AD or ClearPass (not sure which one they actually get).
  • Future connections from the device will be authenticated using the certificate, NOT a username.

Here is what is actually happening:


  • Browse to ClearPass URL
  • Install root certificate
  • Enter username and password
  • Install provisioning certificate (I guess that's what you call it), which includes a profile on the iPad containing a new SSID
  • Connect to new SSID

The problem is that, on my local Aruba controller, when I do a "show user-table", I see the connection still referencing a username:


(do-aruba3600local-1) #show user-table | include CPPM    fc:25:3f:b6:fe:53  1879001                  authenticated  00:00:08    802.1x                DO_IT_AP                                            Wireless  PUSD-CPPM/00:24:6c:ab:4b:a9/a-HT    PUSD-CPPM-Dot1x-AAA-Profile    tunnel        iPad

In this example, "PUSD-CPPM" is the SSID that I reconnect to after installing the profiles, and "1879001" is the user ID that I used during the onboarding.


My SE and I are both at a loss to explain why we're still seeing the username.


Also, I have defined a role on the Aruba controller called "StaffAccess", which is what I want the devices to be placed into, but I haven't figured out how to get that going, either.  They're landing in the "authenticated" role instead.


Any advice, suggestions, etc.?  I can provide additional info if needed, but I didn't know what else might be needed.



Re: ClearPass onboarding of shared devices without tying to specific username

When you provision a cert for a device it will both included the user and device information. That is the purpose of a TLS certificate is to simplify the authentication process for the user so they do not have to always enter their user credentials, the cert does it for them. 


As for the role mapping you need to make sure you have the corresponding role on both the controller and CPPM they are case sensitive. 







Thank You,

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II

Re: ClearPass onboarding of shared devices without tying to specific username

Hi Troy,

Thanks for your response!  I should point out, if I didn't already, that I'm totally new to ClearPass. :)


When I go to Configuration --> Services and click on either my Provisioning or my Authorizaion profiles, the screen that comes up doesn't have as many options as the one you showed.  Specifically, I don't have the "Authorization" or "Profiler" tabs.  But more importantly, on the "Enforcement" tab, I only have one condition (picture attached).



Also, under Configuration --> Enforcement --> Profiles, when I bring up the Post-Provisioning profile, the Aruba-User-Role attribute is set to the correct role that I want the device to be in (case is correct, too), but the device isn't getting placed into the proper role.  I must be missing something, but since I'm not very CPPM-savvy, I don't know what to look for.



Search Airheads
Showing results for 
Search instead for 
Did you mean: