- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
10-15-2014 12:22 AM
Hi,
For my first post on Airheads Community, I'd like to submit BYOD issue when provisionning iOS devices.
My goal is to Onboard/Provision personal devices, using a PEAP/MSCHAPv2 authentication. I've configured two SSID, and my Clearpass configuration seems OK, since it's working for my Windows and android devices.
The issue occur when I try to provision an iPad:
- Installation of root CA : OK
- Onboarding : OK, I can see my device on Clearpass Onboard
- Provisionning : Failed. Connection to my corporate SSID failed. Looking in access tracker, It seems that my Provisionning service is not applied.
Have you any idea that could help me ?
Thank you,
Maxime
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass Onboard : iOS devices provisionning
10-15-2014 12:26 AM
Troy
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass Onboard : iOS devices provisionning
10-15-2014 12:55 AM - edited 10-15-2014 01:11 AM
Thanks Troy,
I've unchecked "Require HTTPS for guest access" in CPPM and I use an http url for my BYOD captive portal, but it doesn't work.
Now, I think I've a problem with one of my Clearpass Onboard Service.
I've configured the following rule :
1. | Radius:IETF | User-Name | CONTAINS | OnboardDevice |
This rule is firing with my windows and android device when I connect to my corporate SSID with unique id, but not with my Ipad.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass Onboard : iOS devices provisionning
10-15-2014 01:00 AM
If you can onboard other devices its most likely not a service issue.
Do you also have the checkbox checked in the controllers captive portal. Samplace where you put in the address.
Post some screen shots of access tracker and you can also look in the application log in the guest side.
Troy
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass Onboard : iOS devices provisionning
10-15-2014 02:04 AM
I'm using Aruba APs and controllers (3600)
I also checked the "use http" checkbox.
Now, looking in the controller log, I can see EAP challenge failed when trying to connect to my corporate SSID. So I have a few questions :
- Is it possible to use unique id and PEAP with iOS devices ?
- Should I use EAP-TLS instead ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Clearpass Onboard : iOS devices provisionning
10-16-2014 12:04 AM
I had a phone call with TAC, they say that unless I configure a commercial certificate, it won't work.
That seems strange, because I thought that manually installing Root CA and desactivate https should work.
I've tried to provision a WPA2-PSK SSID and it's working like a charm. But when I provision a 802.1X SSID (tried PEAP and EAP-TLS), it doesn't work. And the strange part is that I didn't see any log in Access Tracker for the authentication service.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
10-16-2014 12:17 AM
Like I was talking about you can provision with out a Public cert if you have the following done on CPPM and the controller.
You wont see any auths happening on a PSK network because the client will disconnect and then reconnect with the same SSID. IOS devices have an issue where it wont move to a provisioned SSID like a windows or android device will.
Also if you want the device to disconnect and reconnect you need to have the Send IP checkmarked in the controller.
Here is a how-to.
https://ase.arubanetworks.com/solutions/id/34
Troy
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Clearpass Onboard : iOS devices provisionning
10-16-2014 02:19 AM
Thanks a lot for the how-to !
It's almost working now, I think that the "Add IP Switch IP..." was the key.
I've just a small issue on iOS devices, I need to switch the WiFi off/on to get the correct profile.
Again, thank you for your help !
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator