Security

Hi,

 

For my first post on Airheads Community, I'd like to submit BYOD issue when provisionning iOS devices.

 

My goal is to Onboard/Provision personal devices, using a PEAP/MSCHAPv2 authentication. I've configured two SSID, and my Clearpass configuration seems OK, since it's working for my Windows and android devices.

 

The issue occur when I try to provision an iPad:

 

- Installation of root CA : OK

- Onboarding : OK, I can see my device on Clearpass Onboard

- Provisionning : Failed. Connection to my corporate SSID failed. Looking in access tracker, It seems that my Provisionning service is not applied.

 

Have you any idea that could help me ?

 

Thank you,

 

Maxime

The most common issue is the device is not trusting the https cert. You need to have a publicly signed cert on the https. If you are just testing you can disable https on both the controller and CPPM. Then in your redirect use http://

Thanks Troy,

 

I've unchecked "Require HTTPS for guest access" in CPPM and I use an http url for my BYOD captive portal, but it doesn't work.

 

Now, I think I've a problem with one of my Clearpass Onboard Service.

I've configured the following rule : 

1.

Radius:IETF

User-Name

CONTAINS

OnboardDevice

This rule is firing with my windows and android device when I connect to my corporate SSID with unique id, but not with my Ipad.

 

What are you using for wireless?

If you can onboard other devices its most likely not a service issue.

Do you also have the checkbox checked in the controllers captive portal. Samplace where you put in the address.

Post some screen shots of access tracker and you can also look in the application log in the guest side.

I'm using Aruba APs and controllers (3600)

 

I also checked the "use http" checkbox.

 

Now, looking in the controller log, I can see EAP challenge failed when trying to connect to my corporate SSID. So I have a few questions :

 

- Is it possible to use unique id and PEAP with iOS devices ?

- Should I use EAP-TLS instead ?

I had a phone call with TAC, they say that unless I configure a commercial certificate, it won't work.

That seems strange, because I thought that manually installing Root CA and desactivate https should work.

 

I've tried to provision a WPA2-PSK SSID and it's working like a charm. But when I provision a 802.1X SSID (tried PEAP and EAP-TLS), it doesn't work. And the strange part is that I didn't see any log in Access Tracker for the authentication service.

Like I was talking about you can provision with out a Public cert if you have the following done on CPPM and the controller.

 

You wont see any auths happening on a PSK network because the client will disconnect and then reconnect with the same SSID. IOS devices have an issue where it wont move to a provisioned SSID like a windows or android device will. 

 

Also if you want the device to disconnect and reconnect you need to have the Send IP checkmarked in the controller.

 

Here is a how-to.

 

https://ase.arubanetworks.com/solutions/id/34

 

 

 

 

Thanks a lot for the how-to !

 

It's almost working now, I think that the "Add IP Switch IP..." was the key.

I've just a small issue on iOS devices, I need to switch the WiFi off/on to get the correct profile.

 

Again, thank you for your help !