demo lab guide wireless - amazon s3 · demo lab guide – wireless byod and mobility demo product...

Demo Lab Guide – Wireless

BYOD and Mobility Demo

Product Domain: Networking

Author: Colin King

Version: 1.01 Date: 20/01/2016

Table of Contents 1 Product Overview ............................................................................................................................................ 3

1.1 Lab Preparation Considerations and Caveats .................................................................................. 3

2 Introduction ..................................................................................................................................................... 4

2.1 Lab Topology and Essential Information ......................................................................................... 4

2.1.1 Lab Addressing and Login Details ...................................................................................................... 5

2.1.2 Element Access ..................................................................................................................................... 5

3 Wireless .......................................................................................................................................................... 10

3.1 Guest Access ...................................................................................................................................... 10

3.1.1 Pre-requisite Information ................................................................................................................. 10

3.1.2 W-Series Controller Configuration .................................................................................................. 12

3.1.3 W-ClearPass Policy Manager and Guest configuration ............................................................... 16

3.1.4 W-ClearPass Guest Module Configuration ................................................................................... 20

3.1.5 Testing Guest Access with a Wireless Client ................................................................................ 22

3.2 BYOD, W-ClearPass Onboard Lab .................................................................................................. 26

3.2.1 W-Series Controller Configuration ................................................................................................. 26

3.2.2 W-ClearPass Policy Manager and Onboard configuration ........................................................ 34

3.2.3 Test BYOD, Onboard with Wireless Client .................................................................................... 43

4 Summary ........................................................................................................................................................ 49

3 Dell Demo Center – https://demos.dell.com | Dell Inc., 2016

1 Product Overview

This should be used to provide a high level overview of the product. Content from the product

marketing deck or PDF would be applicable.

1.1 Lab Preparation Considerations and Caveats

It is in your best interests to ensure the demo environment you will be demonstrating is clean & tidy

before you begin. For this reason we would recommend, where possible, you log in to your demo at

least 15 minutes prior to delivery and check the following;

1. Familiarize yourself with the environment during this time and check any specific features you are

expecting to demo.

2. Most importantly, be crystal clear with yourself on what it is you plan to show. A full demo of every

feature described below (with questions) can take several hours. If you only have a short time slot

be sure to focus on the key points that address the customer’s pain points and will drive value

home to them.

3. Ensure that you have scheduled the demo for sufficient time so as not to have the demo end

before you are finished with the customer.

Any other guidance on how the user should prepare for the lab can be added here. If there are

limitation or something the user should be aware of call out also.

https://demos.dell.com/


2 Introduction

The purpose of this lab is to introduce the BYOD access solution using both the W-Series controller and

W-ClearPass Access Management System. Interaction of wireless access, authentication, authorization,

and policy enforcement will be shown.

The following features are used in this lab:

W-Series Controller

- WLAN access, with policy enforcement through user roles and firewall policies

W-ClearPass Policy Manager

- Identification, Authentication, Authorization, and policy enforcement

W-ClearPass Guest

- Self-registration through captive portal

W-ClearPass Onboard

- Single SSID client WLAN configuration with certificate installation through the Onboard

application

2.1 Lab Topology and Essential Information

VLAN 1920192.168.3.0/24

S4810

Layer 3

Layer 2

Layer 2

Campus Server VM

VLAN 200192.168.2.0/24

Secure

MLAG N4032-2N4032-1

VLAN 210192.168.4.0/24

Guest

VLTS4810-1 S4810-2

3200 ControllerAD Server VM ClearPass VM

N3000 Stack

Access Points

C3750



2.1.1 Lab Addressing and Login Details

Lab addressing information:

Device IP Address Mask Gateway

Pod Landing VM 172.20.3.10 255.255.255.0 172.20.3.1

W3200 Controller 172.203.30 255.255.255.0 172.20.3.1

Client VM 192.168.1.19 255.255.255.0 192.168.1.1

Wireless Client 01 172.20.3.21 255.255.255.0 N/A

Wireless Client 02 172.20.3.22 255.255.255.0 N/A

ClearPass 192.168.3.6 255.255.255.0 192.168.3.1

Note: The logon credentials required to run the demo and access elements are detailed were

required within the steps of the demo.

Lab usernames and passwords

IP Address System Username Password

172.20.3.4 AD Server campus\administrator password

172.20.3.21 Wireless Client 01 demouser password

172.20.3.22 Wireless Client 02 demouser password

172.20.3.20 W3200 admin campus

192.168.3.6 ClearPass admin campus

2.1.2 Element Access

New for 2014 is the use of Remote Desktop Manager (RDM). RDM is a simple tool to provide quick

access to all of the pod hardware from a single tabbed window. All demos are accessible from RDM

and each demo is grouped into a single folder on the left-hand side of the screen. These folders can



be expanded for each demo, and the hardware access to each device is achieved by simply double-

clicking on the item. Here is a screenshot. The red items are all part of Demo 1.

Each section has an icon to fully deploy the working configurations or to reset the switches back to a

base configuration with only IP, username, and password configured.

Note: When the “Deploy Lab” option is selected please allow 10 minutes for all the hardware

elements in the environment to be configured. (See example deployment below)



When an item is accessed, it will appear as a tab at the top of the RDM window. You can have a

separate tab for each type of connection, such as SSH, HTTP, RDP, etc… Below is a screenshot of

RDM with several connections open. Notice the tabs.



Note: The credentials required to access an item within the RDM interface are embedded within the

application. You don’t not have to remember any usernames or password to access any of the items

within the demo. The exceptions being

ClearPass WebConsole – The Web Console is accessed from within the Active Directory Server (AD).

There is a shortcut provided on the AD server desktop to launch the ClearPass Web Console.

To launch and RDP session to the AD server select “Wireless AD” icon within the RDM interface (see

below), double clicking the icon to launch the session:



If you want to reset to a base configuration or reset to a working demo configuration, simply double

click the appropriate icon for that group and watch for the process to complete. All demos utilize the

same switch hardware, so if you cannot run both demos at once. For example, if you want to run the

RVLT demo, you will need to run “Deploy Lab – Routed VLT with MLAG”. After that demo, you can run

“Deploy Lab – VRRP with MLAG” to do the VRRP version of the demo. It takes approximately 10 minutes

to deploy the hardware for a given demo



3 Wireless

3.1 Guest Access

Users connect to an open SSID and browses to any web page. A captive portal redirects the user to a

web form that instructs them to register to gain access. Appropriate policies are assigned to the user, a

username and password is generated, and the user is redirected to a designated URL.

Objectives

- Configure W-3200 controller AP group

- Provision APs to the AP group

- Create Virtual AP for a Guest SSID

- Create User roles and policies

- Create W-ClearPass Guest service

- Create Self Registration portal

- Test with a Win7 client

3.1.1 Pre-requisite Information

To start the demo lab please select the folder “ Lab 3 – Wireless”. Expand the folder and search for the

“Deploy Lab – Wireless” icon. Double click the icon.



1.

A task will start, this task configures all hardware within the lab for the Wireless Demo.

Note: The task will take 10 minutes to complete

Once the task has completed the environment is now ready for you to undertake and complete the

following labs

Guest Registration

BYOD, W-ClearPass Onboard

Note: Please note when entering Guest and Employee SSID’s during the configuration stage and setup

stage replace # with the demo POD number, for example Guest01 would be the SSID to be used if

you are using POD01. You can find the POD number the on the web browser homepage displayed

when you access the demo (see below).



3.1.2 W-Series Controller Configuration

1. W-Series Controller Configuration

2. Now we are going to configure the W-Series Controller. Please select the Demo Lab

environment - “Lab3 – Wireless” folder.

3. Open the webGUI for the Controller by clicking on “AP Controller”

4. Username: admin

5. Password: campus

Note: The controller Web Console will appear as a tab at the top of the RDM interface

6. From within the W-Series web console select the Configuration tab and then Campus WLAN (see

below).



7. Click New AP Group, enter BYOD, OK.

8. Click New WLANs for BYOD, enter Guest(#)

9. Click, OK

10. Click Next, lower right.

11. Use defaults, click Next

12. VLAN: choose 210

13. Choose Guest, click Next



16. Add, Select from known servers, choose clearpass, OK, click Next


18. Click Finish

19. Click Close

You have now created an AP group, which will contain all the settings that will be pushed to the APs,

including the SSID. Only one AP group can be assigned to a single AP.

Next we will configure the Access Points for use.

1. Select Configuration tab

2. Select AP


4. Choose All APs





7. Click drop-down, choose BYOD

8. Click Configure APs Now

9. Click Close

You have just assigned the APs to the BYOD AP group you previously configured. The APs will

download the new configuration and reboot. This process will take about 2-3 minutes. You can

monitor the APs in the Monitoring Tab.

The APs are ready when they all show “up” in the WLAN Network Status

1.



Once the AP’s have been configured and are shown as UP within the Monitoring tab return to the

Configuration tab. The wizard populates many default profiles for admins to use and change. We will

now start configuring the user roles and policies to customize our environment.

1. Select the Configuration tab

2. Choose Access Control under SECURITY

3. Click on the Edit button for Guest01-guest-logon

4. Under Firewall Policies click the Add button

5. Select Choose from Configured Policies

6. From the drop down menu select ClearPass-web-ACL and click Done

7. Select the Clearpass-web-ACL that was populated in the list

8. Use the arrow to move it above the logon-control policy

9. Click Apply on the lower right on the page



Note: The ClearPass policy you added above is not a default policy, we configured that for you use in

this lab. It restricts the user to only access the ClearPass server IP address, which is where the captive

portal web page is located.

If you click on a policy, you can see the firewall rules for each policy. These are typical firewall rules and

they are evaluated from top to bottom.

Next we will configure the Authentication setting.

10. Select Authentication under Security

11. Select the L3 Authentication tab

12. Select + to expand the Captive Portal Authentication

13. Click on the name (not +) of Guest01-cp-prof

14. Look for Login page

15. Enter the following: https://clearpass.campus.local/guest/reg.php

16. Click Apply in the lower right

You have just configured the user role and captive portal redirect address to enable the Guest

registration. The address above is a webserver hosted on W-ClearPass. The controller configuration is

complete.

3.1.3 W-ClearPass Policy Manager and Guest configuration

Return to the Remote Desktop Manager dashboard. This is the blue icon found on the taskbar. It is

highlighted below for reference:


https://clearpass.campus.local/guest/reg.php


Now we will configure the ClearPass server. To configure the ClearPass server please follow the steps

below:

1. Click on the Wireless –AD under the Wireless RDP Access section on the left hand side

2. Close the Server Manager

3. Click on the Firefox icon labelled ClearPass

a. Username: admin

b. Password: campus



The ClearPass Policy Manager GUI is now open. The dashboard is open by default. Use the left hand

side to get to the Configuration area.

4. Select Configuration

5. Select Start Here

6. Scroll down and select the Guest Access Template

7.

Note: ClearPass uses tabs across the top to move through the configuration. Depending on the

configuration area, you must either click the next tab, or you can use the Next button at the lower

right.

8. In the General Tab enter a Name Prefix of Self Registration Lab

9. Click Next button

10. Wireless SSID for Guest access: Guest- (and POD Number)



Note: Enter the exact WLAN name you used on the controller. For example Guest- (and POD

Number) if you’re using Lab Pod 1

11. Select wireless controller: Controller (this network device setting has already been configured

for you)

12. Click Next button

13. Click Add Service button

14. Click Save button

15. Once completed should see your service in the list at the bottom.

16. Click on the Service name to open it.

17. Select the Service Tab, use defaults

18. Select the Authentication Tab, use defaults

19. Select the Roles Tab, use defaults

20. Select the Enforcement Tab, click Modify (new set of tabs opens)

21. Click on Rules Tab

22. Click Add Rule

23. Click to add… (under Conditions)



24. Type: Authentication, Name: Username, Operator: EXISTS, Value: no entry

25. Click on the Disk icon to save the condition

26. Under Enforcement Profiles --Select to Add—

27. From the dropdown list select [RADIUS] Authenticated

28. Click Save

29. Click Save

30. Click Save

Note: The rule you added is applied through the Authenticated enforcement policy to any Guest that

registers. The Authenticated policy corresponds to the “authenticated” role within the Controller. This

roles is a default “allow all” policy. Real World admins would designate a more appropriate role and

policy for Guests. This is just for lab demonstration.

This completes the Policy Manager Service. We now must move to the Guest module within ClearPass

to configure the self-registration portal.

3.1.4 W-ClearPass Guest Module Configuration

The following steps detail the configuration task to be undertaken to complete the configuration for the

ClearPass self-registration portal.

1. Click on the Dashboard section in the upper left of the GUI.

2. There should be an Applications window near the center of the screen.



3. Click on Guest

4. Another browser tab should open with the Guest Manager GUI.

5. Click on Configuration on the left hand side

6. Click on Guest Self-Registration

7. Click on Create new self-registration page (upper right)

8. Enter a name Guest Lab

9. Enter the Register Page reg

Note: The register page is the http address you entered into the controller for the redirect. You must

use the same page. The above “reg” corresponds to https://clearpass.campus.local/guest/reg.php

which was directed in the controller section.

10. Click Save and Continue

11. Scroll down to Allowed Access and enter 192.168.4.0/24


13. On the Register Page UI accept the defaults


15. On the Receipt Page UI accept the defaults


17. One the Receipt Actions page accepts the defaults


19. On the NAS Login page change * IP Address to 192.168.3.20



20. Set the Default Destination

21. *Default URL to http://demos.dell.com

22. Override Destination: Select Force Default


24. On the Login Form accept the defaults


26. On the Self-Service Portal accept the defaults

27. Click Save Changes

Now we have completed the necessary configurations steps to allow guest access to our Wireless

solution we are READY to TEST……………………………………………………………..

3.1.5 Testing Guest Access with a Wireless Client

For the purposes of the Lab to Wireless Clients are available for testing purposes. The can be found

within the Remote Desktop Manager Navigation Menu under Wireless RDP Access, To begin:

1. Please double click on Wireless Client 1

2. A Windows 7 Remote Desktop will be displayed within the RDM dashboard

3. Connect to the Guest(#) SSID you created in the previous steps


http://demos.dell.com/


4. Launch the Firefox browser session

5. Enter a website address. You will be redirect to a Self Registration page

6. This will be an Untrusted site. Please select I Understand the Risk and Add Exception.

7. A popup will appear

8. Select Confirm Security Exception

9. A page will appear for Guest Registration



10. Enter * Your Name

11. And * Email Address

12. Confirm that you I accept the terms of use

13. You will receive a Guest Registration Receipt



14, Click on the Log in button, it will take you to a redirect page, and then to the URL that was entered

for the forced default destination (http://demos.dell.com)



3.2 BYOD, W-ClearPass Onboard Lab

Users connect to a secure SSID and enter in a corporate username and password. A captive portal

redirects the user to a web form that instructs them to register to gain access. W-ClearPass evaluates

if the user is allowed to Onboard their personal device onto the network. After authorization, the user

is redirected to an Onboard application download page. The application is downloaded and executed

on the user’s device. Network settings and a certificate are installed onto the client through the Onboard

application. Once complete the user re-authenticates to the same SSID, and authenticates using the

new network settings and certificate.

Objectives

- Create Virtual AP for an Employee SSID

- Create User roles and policies

- Create W-ClearPass Onboard service

- Create Onboard application, network and portal

- Test with a Win7 client

3.2.1 W-Series Controller Configuration

We are now going to start the configuration steps for the BYOD Onboard Lab.

1. Select the Lab 3 – Wireless folder from within the Remote Desktop Manager interface



2. Open the Web GUI for the Controller by double clicking on “AP Controller” icon

3. Login in with the credentials below:

a. Username: admin

b. Password: campus

Note If you have completed the previous Guest lab exercise, the AP Group and provisioned APs

should ready to use for this lab. If you have not completed the Guest lab exercise, please follow the

Guest lab until you complete the provisioning of the APs and return to this section.

Start by adding a new Virtual AP to the BYOD AP group you configured in the Guest exercise.

1. From within the W3200 Controller Web Portal select the Configuration

2. Select Campus WLAN

3. From the Specify Wireless LAN (WLAN) select the BYOD AP Group

4. Under WLAN’s for BYOD Click New

5. Enter Employee(#)

Note: You will have a Guest01 and an Employee01 SSID within the BYOD AP group

6. Click Next, lower right.


8. Enter VLAN 1920 and click Next



9. Use defaults (Internal), click Next


11. Step 6 Captive Portal should be disabled, skip to step number 7

12. Select Add, from the known servers choose clearpass, click OK, select Next


14. Click Finish

15. Click Close, bottom right



For Access control we now need to create two roles.

- Logon

- Authenticated

The logon role will allow users to access W-ClearPass for the purpose of Onboarding the network

settings and certificate. The authenticated role will allow users with certificates to access the corporate

network.

1. Select the Configuration tab

2. Under Security select Access Control

3. Select the User Roles tab

4. Click the Add button



5. Complete the fields under Misc. Configuration

6. Role Name – BYOD-Employee-auth

7. Click Apply


9. Complete the fields under Misc. Configuration

10. Role Name – BYOD-Employee-logon

11. Click Apply

12. Click Edit next to the BYOD-Employee-auth role

13. Select Firewall Policies


15. Select from the Choose from Configured Policies dropdown menu

16. Select option BYOD-Employee1-auth(session)

17. Click Done

18. Click Apply

19. Click Back (upper right)

20. Click Edit next to the BYOD-Employee-logon

21. Select the Firewall Policies tab


23. Make sure the Choose from Configured Policies dropdown menu is selected

a. Select BYOD-Employee1-logon-control(session)

24. Click Done

Before applying any changes we will add three policies to the controller.

1. Select the Add button



2. Ensure Choose From Configured Policies dropdown is selected

a. From the dropdown menu select BYOD-Employee1-allow-external-captive-

portal(session)

3. Click Done

4. Select the Add button

5. Ensure Choose From Configured Policies dropdown is selected

a. From the dropdown menu select BYOD-Employee1-captive-portal(session)

6. Click Done

Note: Before applying the changes take a moment to verify the order of the policies you have

defined. The order in which the policies are applied is very important. See below for reference:

7. Click Apply

8. Click Back (upper right)

9. The next stage in the configuration process is to create a Captive Portal policy. The following

steps outline the task to be undertake to create the policy.

10. Under Security select Authentication

11. Select the L3 Authentication tab

12. Click on the name (not +) of Captive Portal Authentication

13. In the text box enter BYOD-Employee and click Add

14. Click on the name of BYOD-Employee



15. Look for Login page

16. Enter the following in the textbox: https://clearpass.campus.local/onboard/ob.php

17. Click Apply, bottom right (you may need to scroll to the bottom of the page)

Once we have defined and saved the various Captive Portal Policies the next stage is to modify the AAA

profile for the Employee(#) SSID.

1. Select Authentication under Security

2. Click on the AAA Profiles tab

3. Click on the name (not +) of Employee(#)-aaa_prof

4. From the Initial role dropdown menu choose BYOD-Employee-logon

5. From the 802.1X Authentication Default Role dropdown menu choose BYOD-Employee-logon


https://clearpass.campus.local/onboard/ob.php


6. Click Apply

The previous step forces all clients that connect to the Employee01 SSID to receive a user role of BYOD-

Employee-logon (configured in a previous step). This user role allows access to the W-ClearPass server,

which will Onboard the user’s device onto the network. No other access is granted until Onboarding is

complete and the user has a certificate installed.

We also must change another setting within the logon user role

1. Select Access Control under Security

2. Click on the User Roles tab

3. Click Edit next to BYOD-Employee-logon

4. Under Misc. Configuration select the Captive Portal Profile dropdown menu and choose BYOD-

Employee

5. Click Apply, lower right of the page

Now when the user receives the designated logon role, it points to the captive portal policy that

contains the URL to redirect to the W-ClearPass portal.

That concludes the setup for the W-Series Controller.

Take some time to go back and drill down into the user roles, firewall, and other policies to see what

the user is allowed to access. Notice all the default settings and options, and how they can be used in

creating specialized WLAN behaviors and environments.



3.2.2 W-ClearPass Policy Manager and Onboard configuration

The next stage is to define the necessary configuration on the W-ClearPass Policy Manager for the

Employee01 SSID created in the previous steps. Return to the Remote Desktop Manager dashboard

this is the Blue icon on the taskbar.

1. Double-click on the Wireless-AD icon found within the Lab3 – Wireless folder

2. Close Server Manager as this may be open when you log into the AD server

3. On the Desktop launch the shortcut for W-Clearpass

4. Log into the W-ClearPass Web Console with the following credentials

a. Username: admin

b. Password: campus

5. Once logged into the ClearPass Policy Manager web console the dashboard view should be

displayed.

6. The ClearPass Policy Manager GUI is now open. The dashboard is open by default. Use the left

hand side to get to the Configuration area.

7. Select Configuration and Start Here

8. Click on the Onboard template

9. In the General Tab enter a name of Onboard Lab

10. Click Next

11. Under Wireless Setting select wireless controller Controller (these setting have been pre-

configured for you)

12. Click Next

13. Click Next at Device Access Restrictions

14. Under Provisioning Wireless Network Settings select Employee(#) for Wireless SSID for Onboard



Note: Enter the exact WLAN name used on the controller. For example Employee01.

15. Click the Add Service button

16. Click Save. You should see three Services in the list at the bottom.

17. Click on the Onboard Lab Onboard Provisioning Service name to open it.

18. Select the Service Tab and use defaults

19. Select the Authentication tab

20. Under Authentication Methods remove all default methods

21. From the dropdown list select

a. EAP TTLS

b. EAP TLS

c. EAP PEAP

d. MSCHAP

e. EAP MSCHAPv2

22. Select Authentication Sources

23. Click on the [Guest User Repository], click Remove

24. From the dropdown list select pod1 Active Directory [Active Directory]



Note: The Authentication sources is the same across all environments. These setting have been

predefined for you.

25. Select the Roles tab

26. From the dropdown list select Onboard Lab AppAuth Role Mapping

2.



27. Select the Enforcement tab using the defaults

28. Click Save

29. Click on the Onboard Lab Onboard Authorization service name to open it

30. Go to the Authorization tab

31. Select the [Guest User Repository] and click Remove


33. For all other tabs relating to this service please accept the defaults

34. Click Save

35. Select the Onboard Lab Onboard Pre-Auth service

36. Select the Authentication tab

37. Click on the [Guest User Repository] and click Remove


39. Accept defaults for all other tabs

40. Click Save

Take some time to navigate through each Service. W-ClearPass classifies each authentication request

by the service rules. It retrieves information from the databases configured in the Authorization and

Authentication sources, and applies roles based on rules set in the Role Mapping, and finally enforces

the policy rules set in Enforcement Policies. There are an infinite amount of classification, actions, and

settings that can be used to set access policies around any device or user authentication through W-

ClearPass.



The necessary configuration steps have been completed for the Policy Manager Service, The next

stage is to undertake the configuration of the Self-Registration Portal. This is done under the Guest

module.

1. Select the Dashboard within the upper left of the GUI

2. An Applications window will be displayed on the screen

3. Click on Onboard + Workspace

Note: The W-ClearPass product does not support WorkSpace. Although admin can see configuration

options and set them in the GUI, no WorkSpace product or license exists for the Dell version of

ClearPass.

4. A new browser tab should open with the Onboard manager GUI.



5. Select Onboard/MDM Configuration >

6. Click on Network Settings

7. Click on Create new Network (upper right)



8. Enter a name at Name: Onboard Network

9. Enter the SSID of your pod at SSID: Employee01(replace the Example-TLS test)

10. Click Next

11. You will be brought to the Protocols Tab

12. From the Windows EAP dropdown list choose TLS

13. Click Next

14. You will be brought to the Authentication tab

15. Accept the defaults

16. Click Next

17. On the Trust tab from the Configure Trust dropdown list select Manually configure certificate

trust setting

18. In the Trust Server Names text box enter *.campus.local

19. Under Trusted Certificates click inside the box next to default entry and select Admin-Root-CA

20. Under Windows Trust - Validate Certificate uncheck Validate the server certificate

21. Click Next

22. On the Windows tab accept all the defaults

23. Click Next

24. On the Proxy tab accept all the defaults


26. From within the Onboard + Workspace menu scroll down to Deployment and Provisioning

27. Click on Configuration Profiles



28. Click on Create new configuration profile (upper right)

29. Enter a name at Name: Onboard config profile

30. Scroll down to the Networks: section

31. Click on the network name you created: Onboard Network


33. Under Deployment and Provision select Provisioning Settings



1. Click on Create new provisioning settings (upper right)

2. Enter a name at Name: Onboard Provisioning

3. Enter and Organization: enter Dell

4. From within the Identity section apply the following settings

5. Certificate Authority choose Onboard pod from the dropdown list

6. From within the Authorization section apply the following setting:

7. Configuration Profile: from drop down menu, choose Onboard config profile (this is the profile

you just created)

8. From the Support Devices section apply the following settings

9. Uncheck all devices except Windows Devices (leave checked.)

10. Click Next

11. In the Web Login Tab enter a Page name: ob



Note: This entry must match the URL you entered in the Captive Portal Authentication profile you

configured in the Controller. “ob” corresponds to https://clearpass.campus.local/onboard/ob.php

The full URL is not used in this field, only the final name of the .php

12. Click Next

13. Accept all defaults in the Windows tab

14. Click Next

15. Within the Onboard Client tab from the Validate certificate dropdown list select No, do not

validate this web server certificate


The Onboard configuration is not complete and we are Ready to Test ……………………………..

3.2.3 Test BYOD, Onboard with Wireless Client

This lab uses self-signed certificates for all certificates and Certificate Authorities. This lab’s

configuration uses settings that would not be used in a secure deployment. During the client testing

you may have to bypass or acknowledge some security warnings. Please always accept the warning

and continue. Do not terminate or cancel any authentication due to security warnings.

1. Launch Wireless Client 2 by double clicking the icon within Remote Desktop Manager Console.

2. A Win 7 client RDP session will launch.

3. Connect to the Employee# SSID

a. User name: user2

b. Password: password

Note: You may have to enter this username/password more than once. This may be due to the Lab

environment or with Windows itself.



4. Choose Connect

5. Open the Firefox browser.

6. Enter any website address. The redirect should open the Self Registration page

7. Enter the same login details as step 3

a. Username: user2

b. Password: password



8. Click on the Start QuickConnect

9. Click Save File

10. Go to the Firefox download arrow icon, click to run the executable



11. Click Run



12. Click Next

13. Finally Click Connect

14. Upon successfully authentication a message will be displayed similar to below:



15. Click Close

16. Return to Firefox and enter a web site address for example www.google.com to test that the

onboarding process has been successful.

The application configures the Employee01 wireless profile for EAP TLS, certificate based authentication.

Pressing the Connect button will disconnect from the Employee[#] SSID and reconnect you to the same

SSID. This time the authentication changes from EAP-PEAP username/password, to EAP TLS. A new

role is assigned to give access to the corporate network.


http://www.google.com/


4 Summary

This lab uses the very basic setting to authenticate and Onboard clients. It is meant to demonstrate the

method of configuring policies on Policy Manager, web and application services on Onboard, and how

ClearPass interacts with the W-Series Controller for access/enforcement.

Please take some time to go through ClearPass , Guest , and Onboard to see all the many options that

are available to customers. Control of users and devices has an infinite amount of possibilities. Users

can be identified and fingerprinted through the devices they have to steer automated policy decisions.


demo lab guide wireless - amazon s3 · demo lab guide – wireless byod and mobility demo product...

Documents