Occasional Contributor II

Onboard - MDPS design/setup help needed! (for iPad's)



Hopefully someone can help me out!


I have been working on setting up iPad provisioning using Onboard and have had no luck as of yet. 


What I have set up is what is demoed:


connect to provisioning SSID

install root cert

authenticate to AD

install profile

connect to provisioned SSID (different)


The issue is that when the iPad connects to the provisioned SSID it waits a while then says "unable to join XXXX" 


On the provisioned SSID we have the radius pointing to a NPS server which has the root cert for our CA and even Onboard (tired both ways: onboard subCA and onboard own CA)


The access deny message on the NPS servers says that "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider." (we get this using both CA modes)


I believe it has something to do with the OCSP URL and have read over this airhead post:


From the Onboard documentation it says we need to configure our auth server to use OCSP to check the revocation staus of a client certificate.


I guess then, How do I do this??


The client certs have the ocsp url in them and i added them to the onboard subCA cert (and onboard CA cert) that we have on the NPS server but no go.


I clearly am missing a step....







Guru Elite

Re: Onboard - MDPS design/setup help needed! (for iPad's)

When onboarded, the certificates are created in the ClearPass Onboad Environment, and The controller should Authenticate to the ClearPass Onboard Server as a Radius Server to Validatate the Credentials of the Onboarded Devices:


- Configure the ClearPass Onboard Server as a Radius Server in the Controller

- Run the LAN/WLAN Wizard to Stand Up the Onboarded WPA2-AES SSID, choosing the existing ClearPass Onboard Server in the controller as the Radius Server.


On the Onboard Server:

- Configure the Controller as a NAS device in the ClearPass Onboard Server under Radius> Network Authentication Servers

- Have the Onboard Server's Radius Server Request a Server Certificate By going to 

Radius> Authentication> EAP and 802.1x> Create Server Certificate> Request a Certificate from Another Certificate authority. Fill out the server information and get the CSR File.

Take that file to the Onboard CA (Onboard> Certificate Management> Upload a Certificate Signing Request). When the TLS Server Certificate is Created, go to the TLS-server Certificate and Click on Export Certificate.

Take that file and Apply it to the Onboard Server's Radius Server by going to Radius> Authentication> EAP and 802.1x> Import Server Certificate. When that is done, go back to Radius> Authentication> EAP and 802.1x> EAP Configuration and make sure EAP-MSCHAPv2, EAP-TLS and PEAP are checked. To get it working, you can disable Certificate Certificate Revocation Checks, for now.


You will need to restart the Onboard Radius Server before doing anything.


See if you can associate an onboarded client to the SSID.


For troubleshooting, go to Radius> Server Control> Debug Radius Server.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
Showing results for 
Search instead for 
Did you mean: