Security

Using the Virtual controller on an IAP pointing to CPPM(6.1) for BYOD. Have an employee SSID set up on Instant which points to CPPM and Onboard configured for Captive portal. I cant seem to perform redirection to the Captive portal. The redirection works for my guest SSID and CPPM/Onboard guest portal.  Any pointers much appreciated.

Have you confirmed its not a DNS resolution issue?
Have you tried using an IP address for redirection?
If the the employee SSID is in a different VLAN than your other SSIDs, does the VLAN on the controller have an IP assigned to it?

 

Confirmed its not a dns resolution issue, also tried with IP address.  We are using a single ssid called byod on the Instant AP which maps to an employee role. thanks a bunch

BYOD on a Single SSID

Instant OS 3.2 and earlier did not provide the ability to redirect a client to a captive portal page post 802.1X authentication. This limitation required the use of 2 SSIDs: 1) provisioning SSID 2) approved device SSID (802.1X) to provide a complete BY0D solution. In Instant OS 3.3, Aruba introduced the ability to redirect a client to a captive portal page after 802.1X authentication. This new enhancement provides the ability to append a captive portal redirection to a user role. This enhancement coupled with the ability to define a user role based on the EAP authentication type allows the use of a single SSID for a complete BYOD solution. The steps involved in configuring a single SSID for BYOD are these:

1. Create a user role with captive ported redirection
2. Create an employee SSID with WPA2_Enterprise authentication
3. In the employee SSID configuration create a derivation rule that assigns the captive portal user role based on 802.1X authentication type (Ex: EAP-PEAP MSCHAPv2)
4. Optionally, configure ClearPass to return non-captive user role for users authenticating using EAP-TLS . By default, a user authenticating with an EAP-method other than the one in Step 3 is assigned the default-role for the SSID.

 

STEP 1: Create a user role with captive portal redirection

 

• Create a new role: byod-enroll

 

• Create a captive portal access rule

 

 

• Allow DNS, DHCP to all destinations and HTTP/HTTPS access to ClearPass server.

 

 

 

 

 

STEP 2: Create an Employee SSID

 

• Configure SSID name and VLAN

 

 

 

 

• Configure WPA2-Enterprise security on the SSID

 

 

 

STEP 3: Configure the access settings of the SSID with appropriate 802.1X authentication type based derivation rule

 

• Configure a derivation rule based on the EAP-type. If the user authenticates with PEAP-MACHAPv2 assign the byod-enroll. This will redirect the users to provisioning page.

 

 

 

• User authenticates with EAP types other the PEAP-MSCHAPv2 will be assigned the default role for the SSID. The provisioning process on ClearPass will install certificates and configure the client's wireless supplicant for EAP-TLS.

 

• When the client reconnects to the SSID during the final step of the provisioning process it uses EAP-TLS. This will assign the default SSID role to the client.

 

STEP 4: If required configure IAP for server derived rules

 

• Using the Aruba-User-Role VSA, ClearPass can push user roles to IAP. The accomplish this, the IAP should be configured with the appropriate user role definition ad server derived rule.

 

 

hi tarnold

 

thank you for your help, unfortunately i cannot see the images as they appear to be on ur internal pages.. prompting me to login

 

please can you send the screenshots by pdf...

 

kind wishes

raj

PDF

Thanks you so much

 

The URL redirect now happens but the onboarding does not complete. The IAP sends the following URL format to the CPPM

 

https://<clearpass IP>/guest/device_provisoning.php?cmd=login&mac=xxxxxxxxx&essid=byod&ip=192.......&apname=xxxxxxxx&switchip=securelogin.arubanetworks.com&url=http<original URL>

 

however if I manually go to https://<clearpass IP>/guest/device_provisoning.php/    then I get to the onboarding page. After running through Quick Connect app I get re-provisioned for TLS. 

 

It seems CPPM is expecting only upto "/device_provisioning.php/  and not the other meta data containing the original url

 

i am trying this with Android ICS 4.1.1. 

 

I experienced same issue of non redirection when trying from iPad.(testing without commerical cert )

 

 

 

Did you try it with out https.

 

IOS will not onboard if you have https enabled with no public webserver cert. 

 

Make sure you disable https in CPGuest under "Home » Configuration » Authentication"

 

And in you IAP you use http. 

 

Android will also complain if you tell it to validate the server cert under the provisioning settings.

I tried both with & without https  ( Onboard > Config > Authentication >  disabled HTTP for authentication for guest portal )

 

I can get iOS to onboard without https (1st PEAP, then TLS). Android and iOS works fine if i point browser to http://<ip_addr>/guest/device_provisoning.php

 

 

For iOS or Android if I type in a random URL  I can see the redirect trying to happen

 

For example: 

 

1. I enter in browser:  http://www.yahoo.co.in           (dns works)

2. Browser is hijacked and URL shows  <ip of cppm>/guest/device_provisioning.php<followed by mac adress, meta data and the orignal url >

 

but it hangs there and then says the link cannot be reached.

 

Are my 

 Is there an example of configuration on the CPPM services & onboaed side?

 

much thanks

error msg on the redirect attempt is (on android)

 

Webpage not available

 

The webpage at < IP adrress of CPPM  + long url > might be temporarily down or it may have permanently moved to a new web address.

What device are you testing with?

I will have some lab time wed so I will do some testing and try to update some docs.

You can look here to see if the device has been tested. The list is an older one and I will try to update it also.

http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Android-Onboarding/m-p/74380#M1928