Security

We have some issues with MAC OS X; the onboarding process does not seem to work, and I struggle to manage the dot1x profiles...

Onboarding:

The MAC's receive the redirection and land on the registration page. The process runs and they receive a certificate from the CP. Apparently we have to install the cert manually in the store, but then the story stops. The .1x settings aren’t adapted…

.1x profiel:

If we look at this manual  about how to change the .1x settings for NAC we see that in the tab “802.1x” we can create a profile.

But on the MAC book I test with (and this was confirmed by other MAC-users) the “+”  (to create a profile) is not there, despite the fact I’m admin on this machine, and at first sight there is no way to create this in another manner.

This blog gives a workaround, but we cannot expect that a non-IT user have to install and tweak some programs before the network functions. My attempt was not successful…

Another solution seems to be the MAC profile manager but we do not have an OS X server with a profile manager configured… 

Does someone have seen a decent how-to or a user-friendly solution?

Are you using ClearPass Onboard module to Onboard your devices? Or do you try to push a profile that you created manually with the Apple configurator tool?

For devices that are managed by a device management system (MDM/EMM), it is recommended to use that to get your clients configured. For non managed devices, like BYOD, ClearPass Onboard will make it easier for users to self-service onboard their devices in a secure way.

You mention 'redirect' in your question. One important thing to know is that if a captive portal is automatically triggered, which is when you see a popup by just connecting to the network without further user interaction, that popup is running in a kind of sandbox. Access to configure things or run scripts is blocked, and that window can basically only be used to do a guest logon to the captive portal. I think this is a safe decision made by Apple as you don't want such a automatic popup to make any changes to your system. Because of this decision by Apple, you should get basic network access first and then find a way to get your users to the location for the Onboarding process. A common way of doing that is to use the guest network, or a dedicated Onboarding network, and prevent the automatic captive portal browser to appear. In order to do that, you can use the 'whitelists' as maintained on this Aruba Github page. Only when using the normal browser (Safari, but I think Chrome works as well), you can push profiles or run the ClearPass Onboarding process.

Hi Herman,

Thanks for your quick reply.

Yes, we're using the onboard module. The redirect I mentioned is towards the onboarding page, which operates as you mentioned in a separated vlan across the whole network.
The way a windows machine works is that it lands on the onboarding page, he register with the user's AD credentials and downloads an .exe which contains a cert and the .1x settings.
The MAC books does exactly the same, but only downloads a certificate and no .1 settings. I cannot even change the .1x settings on a MAC myself.

The option to create a 802.1x profile is simply not there.

Given the fact that I never worked with MAC's before, I have a hard time figuring this out...

The Onboarding process is expected to continue automatically after the root CA has been installed. There is no need for users to go in the profiles, I only go in there if I want to see what has been installed or if I manually want to remove a profile.

Please verify that you have a public trusted HTTPS certificate on your ClearPass server and don't see any certificate warnings anywhere in the process (except the prompt to install the roots and profile). OSX requires a profile to be served from a trusted HTTPS page, thus the requirement for a public trusted HTTPS certificate on ClearPass.

If the process still aborts, please work with Aruba support to find out what is wrong.

I believe we have a decent certificate (see attach) and we do not reveice any errors during the process (not on the MAC, not on the CP)

Basics look good to me. Please work with Aruba Support for deeper troubleshooting.