Community Home > Discuss > Technology > Security > Clearpass Onboard : iOS devices provisionning

Security

Reply
Highlighted
maxxxxxx
Occasional Contributor I
maxxxxxx

Clearpass Onboard : iOS devices provisionning

‎10-15-2014 12:22 AM

Hi,

 

For my first post on Airheads Community, I'd like to submit BYOD issue when provisionning iOS devices.

 

My goal is to Onboard/Provision personal devices, using a PEAP/MSCHAPv2 authentication. I've configured two SSID, and my Clearpass configuration seems OK, since it's working for my Windows and android devices.

 

The issue occur when I try to provision an iPad:

 

- Installation of root CA : OK

- Onboarding : OK, I can see my device on Clearpass Onboard

- Provisionning : Failed. Connection to my corporate SSID failed. Looking in access tracker, It seems that my Provisionning service is not applied.

 

Have you any idea that could help me ?

 

Thank you,

 

Maxime

Alert a Moderator
Message 1 of 8
4,790 Views
Tags (2)
Reply
0 Kudos
Aruba
Aruba
tarnold

Re: Clearpass Onboard : iOS devices provisionning

‎10-15-2014 12:26 AM

The most common issue is the device is not trusting the https cert. You need to have a publicly signed cert on the https. If you are just testing you can disable https on both the controller and CPPM. Then in your redirect use http://
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Alert a Moderator
Message 2 of 8
4,788 Views
Tags (1)
Reply
maxxxxxx
Occasional Contributor I
maxxxxxx

Re: Clearpass Onboard : iOS devices provisionning

‎10-15-2014 12:55 AM - edited ‎10-15-2014 01:11 AM

Thanks Troy,

 

I've unchecked "Require HTTPS for guest access" in CPPM and I use an http url for my BYOD captive portal, but it doesn't work.

 

Now, I think I've a problem with one of my Clearpass Onboard Service.

I've configured the following rule : 

1.Radius:IETFUser-NameCONTAINSOnboardDevice

This rule is firing with my windows and android device when I connect to my corporate SSID with unique id, but not with my Ipad.

 

Alert a Moderator
Message 3 of 8
4,774 Views
Tags (2)
Reply
0 Kudos
Aruba
Aruba
tarnold

Re: Clearpass Onboard : iOS devices provisionning

‎10-15-2014 01:00 AM

What are you using for wireless?

If you can onboard other devices its most likely not a service issue.

Do you also have the checkbox checked in the controllers captive portal. Samplace where you put in the address.

Post some screen shots of access tracker and you can also look in the application log in the guest side.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Alert a Moderator
Message 4 of 8
4,771 Views
Tags (2)
Reply
0 Kudos
maxxxxxx
Occasional Contributor I
maxxxxxx

Re: Clearpass Onboard : iOS devices provisionning

‎10-15-2014 02:04 AM

I'm using Aruba APs and controllers (3600)

 

I also checked the "use http" checkbox.

 

Now, looking in the controller log, I can see EAP challenge failed when trying to connect to my corporate SSID. So I have a few questions :

 

- Is it possible to use unique id and PEAP with iOS devices ?

- Should I use EAP-TLS instead ?

Alert a Moderator
Message 5 of 8
4,760 Views
Tags (2)
Reply
0 Kudos
maxxxxxx
Occasional Contributor I
maxxxxxx

Clearpass Onboard : iOS devices provisionning

‎10-16-2014 12:04 AM

I had a phone call with TAC, they say that unless I configure a commercial certificate, it won't work.

That seems strange, because I thought that manually installing Root CA and desactivate https should work.

 

I've tried to provision a WPA2-PSK SSID and it's working like a charm. But when I provision a 802.1X SSID (tried PEAP and EAP-TLS), it doesn't work. And the strange part is that I didn't see any log in Access Tracker for the authentication service.

Alert a Moderator
Message 6 of 8
4,728 Views
Tags (2)
Reply
0 Kudos
Aruba
Aruba
tarnold

Re: Clearpass Onboard : iOS devices provisionning

‎10-16-2014 12:17 AM

Like I was talking about you can provision with out a Public cert if you have the following done on CPPM and the controller.

 

You wont see any auths happening on a PSK network because the client will disconnect and then reconnect with the same SSID. IOS devices have an issue where it wont move to a provisioned SSID like a windows or android device will. 

 

Also if you want the device to disconnect and reconnect you need to have the Send IP checkmarked in the controller.

 

Here is a how-to.

 

https://ase.arubanetworks.com/solutions/id/34

 

Screen Shot 2014-10-16 at 2.11.15 AM.png

 

Screen Shot 2014-10-16 at 2.11.52 AM.png

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Alert a Moderator
Message 7 of 8
4,723 Views
Tags (1)
Reply
maxxxxxx
Occasional Contributor I
maxxxxxx

Re: Clearpass Onboard : iOS devices provisionning

‎10-16-2014 02:19 AM

Thanks a lot for the how-to !

 

It's almost working now, I think that the "Add IP Switch IP..." was the key.

I've just a small issue on iOS devices, I need to switch the WiFi off/on to get the correct profile.

 

Again, thank you for your help !

 

Alert a Moderator
Message 8 of 8
4,712 Views
Tags (2)
Reply
0 Kudos
Search Airheads
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2019 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium