Security

last person joined: 6 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

iPad activations

This thread has been viewed 1 times

  • 1.  iPad activations

    Posted Mar 29, 2013 05:56 PM

    I was wondering how others are handling the activation of iPads out of the box on their wireless networks.  iPad reach out to Apple.com before futures are functional if I am correct.  A login splash page such as a captive portal breaks this activation.  Do you request that users activate their new iPads from home networks, over a mifi network or cellular before access a guest network in your corporation?  Just wondering others handle the avalanche of devices.



  • 2.  RE: iPad activations

    Posted Mar 29, 2013 11:09 PM

    There are a couple of options.

     

    One is to setup a netdestination with the sites/domain names in question.  Then to add a rule to the Captive Portal policy to permit traffic to this netdestination/alias; placing the rule above the Captive Portal redirects.

     

    Example:

    (config)# netdestination allowed-ipad-sites

    (config-dest)# name apple.com

     

    (config)# ip access-list session <yourCPpolicy>

    (config-sess-<yourCPpolicy>)# user alias allowed-ipad-sites any permit position 1


    ***this rule needs to be before any DST-NAT entries

     

    A second option is to add a netdestination to the whitelist of the Captive Portal profile.

     

    Example:

    (config)# netdestination allowed-ipad-sites

    (config-dest)# name apple.com

     

    (config)# aaa authentication captive-portal <yourCPprofile>

    (Captive Portal Authentication Profile <yourCPprofile>)#white-list allowed-ipad-sites

     

     



  • 3.  RE: iPad activations

    Posted Apr 01, 2013 09:41 AM

    Thanks very much for the info.  I will give that a try.  To expand on that.  Is there a similar process if for the AmigoPod self-registration Guest portal?

     



  • 4.  RE: iPad activations

    Posted Apr 01, 2013 09:49 AM

    When you say similar process, do you mean to allow access to the guest registration portal without having the traffic hit the DST-NAT rule?   If so, you really have the same options really.   You can create a Network Destination that corresponds to your Amigopod or you can just add a line in your logon role to allow http/https traffic to Amigopod.

     

    (config)# ip access-list session <yourLogonRolepolicy>

    (config-sess-<yourLogonRolepolicy>)# user host <ip.of.amigopod> svc-http permit position 1

    (config-sess-<yourLogonRolepolicy>)# user host <ip.of.amigopod> svc-https permit position 2

     

    As part of a Network Destination:

    (config)# netdestination amigopod-servers

    (config-dest)# host <ip.of.amigopod>

     

    (config)# ip access-list session <yourLogonRolepolicy>

    (config-sess-<yourLogonRolepolicy>)# user alias amigopod-servers svc-http permit position 1

    (config-sess-<yourLogonRolepolicy>)# user alias amigopod-servers svc-https permit position 2