Original Message:
Sent: Mar 19, 2024 07:43 AM
From: Simpleexplained
Subject: ClearPass wireless 802.1x for Apple iOS (Shared iPads)
Yes, that's where we get stuck, because we already have a working setup and have imported the Root CA and subordinate into the CPPM trust store and list. But for some reason it does display the message with the Shared iPad.
Original Message:
Sent: Mar 15, 2024 12:28 PM
From: Herman Robers
Subject: ClearPass wireless 802.1x for Apple iOS (Shared iPads)
Fatal alert by server: unknown_ca means that you have not imported and enabled the Root (and intermediates) CA that issued your client certificates with the type EAP into the ClearPass Certificate Trust Store.
Looks like you are really close now...
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Mar 15, 2024 06:14 AM
From: Simpleexplained
Subject: ClearPass wireless 802.1x for Apple iOS (Shared iPads)
Hi Herman,
Thanks for your support. What you were suggesting was a great idea.
Doing some trial and error and now I'm stuck.
So I'm currently testing the configuration.
The authentication is hitting the right service policy, but now we receive a reject message with the following statement:
And looking the logs:
Looking at the iPad certificate store, there are 2 certificates:
1. Microsoft Intune Root Certification Authority
2. ROOTCA (from our PKI)
And on the iPad
During manual authentication by selecting the SSID it's using the EAP-TLS:
identity Intune Device ID <string of characters xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx> and its issued by Microsoft Intune MDM Device CA
What am I missing here?
Original Message:
Sent: Mar 15, 2024 04:29 AM
From: Herman Robers
Subject: ClearPass wireless 802.1x for Apple iOS (Shared iPads)
One additional suggestion is to first get (one of your) iPads configured, then adapt the ClearPass policy to that by try an authentication and see what authentication/authorization information/attributes you have. From the above it seems you are attempting the reverse path (first ClearPass, adapt Intune/iPads).
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Mar 14, 2024 10:14 AM
From: Simpleexplained
Subject: ClearPass wireless 802.1x for Apple iOS (Shared iPads)
We are in research / design phase before testing phase and I'm looking for the right configurations for the solution. The question is if I'm in the right corner or am I completely off (configuration wise).
Another question; for the solution I described above and the configuration steps you mentioned is there any documentation of that? Because Google is not helping me.
Original Message:
Sent: Mar 14, 2024 10:04 AM
From: jonas.hammarback
Subject: ClearPass wireless 802.1x for Apple iOS (Shared iPads)
Can you describe the question you have in more detail?
At the moment it's a bit hard to understand if you need assistance with a configuration question or if you have problems with the autentications.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Mar 14, 2024 09:57 AM
From: Simpleexplained
Subject: ClearPass wireless 802.1x for Apple iOS (Shared iPads)
Hi Jonas,
The Authentication EAP-TLS Method is as follow:
Session Resumption: Enabled
Session Timeout: 6 hours
Authorization Required: Disabled
Certification Comparison: Do not compare
Authentication sources: Endpoint repository, local SQL DB
Authorization sources: Endpoint repository, local SQL DB - Addional: Microsoft Intune [HTTP]
Role Mapping condition: (Authorization:Microsoft Intune:Intune Azure AD Device Id EXISTS )
With enforcement profile:
Radius:Aruba | Aruba-User-Vlan | = | 88 |
Original Message:
Sent: Mar 14, 2024 08:32 AM
From: jonas.hammarback
Subject: ClearPass wireless 802.1x for Apple iOS (Shared iPads)
Hi
In Intune you have as I understand configured policies that enroll a certificate for the iPads. In addition to this you also need to create a SSID profile with correct 802.1x settings.
In this profile you should specify the certificate to use for the authentication of the client, the SSID to connect to and to trust the Radius certificate root certificate. Also add the name in the Radius certificate to the policy.
In ClearPass you need to complete a service performing EAP-TLS and in the autentication remove the option to do authorization.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Mar 14, 2024 07:50 AM
From: Simpleexplained
Subject: ClearPass wireless 802.1x for Apple iOS (Shared iPads)
Dear Support,
I am researching the possibility of allowing shared Apple iPads to access the wireless network without an end user having to enter their corporate login credentials to do so. The authentication must then be granted at device level based on a certificate. This is because the shared iPads are used by several people.
We now use ClearPass with Intune integration for 802.1x authentication for corporate devices such as laptops and smartphones. The iPads are deployed via Intune MDM and are thus visible in Entra ID. Furthermore, we have a PKI environment that facilitates certificate handling.
I am looking for the right combination configuration for Intune and ClearPass. What ensures that a shared Apple iPad accesses the wireless network without user intervention, so when the Apple iPad has a (device) certificate access is automatically granted.
Thanks in advance!