Security

Hi, 

Turns out these forums are invaluable when setting up Wifi! Anyways, my issue is that I cannot get device provisioning to work correctly. My goal is to have non provisioned devices connect to "Mobile Provisioning" SSID then authenticate user via AD credentials and install certificate for Provisioned network.

Everything works perfectly up to the last step where the device switches connections and tries to authenticate using the newly installed certs. For some reason the profile that gets installed on the device appends the username with ":(certificate serial number):mdps_generic, ie john.doe:5:mdps_generic. If it did not append, then it would work! (I am pretty sure anyways).

Question: Can I remove the strig that gets added on to the user name? Or am I setting this up all wrong?

Using Aruba Controller

CP Onboard is a sub. CA to our windows CA

AD is set to authenticate users before provisioning (works)

Once reconnect to provisioned SSID our NPS server states user does not exist -> reject. 

Thanks in advance for any advice on this and let me know if any other info is needed!!

Glad you are finding the forums here useful. A couple of things to consider with your Onboard deployment that might be useful. Onboard currently supports two classes of device credentials that will be installed on the provisioned devices during the Onboard process.

The ClearPass Policy Manager is designed to support both classes of these device credentials and you are potentially hitting an issue where the MS NPS is not aware of the method to authenticate the credential you are highlighting.

Please speak to your local Aruba account team or partner and they should be able to advise you on the best path to implement Onboard on your environment.

Hi -cam-

Thanks for the fast response. That make sense the the NPS does not understand what Clearpass provisioned user profile is saying. 

One point which I did not mention is that even though all the equipment is aruba, we got it from Dell so everything is dell branded. I do have a case open with them, but I just wanted to understand the process(es) for onboarding so I would also have a good idea which way to go. (in a timley fastion...)

One thing I have seen mentioned in regrads to onboarding scenarios is having a proxy radius server, but that seems to only make sense when Onboard is the CA

Thanks!

Hi, 

After going through all of the airhead's discussions on provisioning again, I believe I know what the solution is. Looks like we need to set up our NPS server to have a remote Radius server (proxy clearpass server) and set it so that when certain radius requests are made to the NPS server to sends them to clearpass to approve or reject.

I have not tested this yet, so ill update when I do.

Thanks,  

Did you check out the videos here?  http://community.arubanetworks.com/t5/Technology-Blog/Watch-Advanced-quot-How-To-quot-Videos-on-Configuring-ClearPass/ba-p/41420

Thanks for the link, I did come accross it before. Only thing is that we are not using Clearpass Policy Manager. :(

Just an update:

The suffix that is getting added to the username only happens when it is a provisioned android not an iPad.....

Thanks,

That is because the Android device uses PEAP, which is username and password, and the iPAD uses a TLS certificate.