Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Occasional Contributor II

Re: Which "Popular" certificate authority (CA) included in most devices

Thanks for the feedback - anyway to take this conversation offline? Would like to know more about the profile since we are new to ClearPass.

David A. Mattox
Manager of Systems Operations
Millsaps College
Direct (601) 974-1149
@MillsapsITS
Guru Elite

Re: Which "Popular" certificate authority (CA) included in most devices

Using legacy EAP methods is not recommended. You should explore EAP-TLS.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Which "Popular" certificate authority (CA) included in most devices

Off course EAP-TLS is better, but in a educational world where student laptops are not IT managed (all BYOD) you would need to use something like clearpass onboard and a few extra golden coins. Also you'll need some extra FTE to support it.

Highlighted
Guru Elite

Re: Which "Popular" certificate authority (CA) included in most devices

We’ve made significant changes to Onboard licensing to make it more feasible for education. I’m not sure I agree with the need to add an FTE. It should reduce support calls, not increase them.

 

I would also add that the certificate issued is not just for network authentication. It can be used with single sign on solutions to provide seameless, secure authentication to virtually unlimited services.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Which "Popular" certificate authority (CA) included in most devices

Can you tell me more about this - "Onboard licensing to make it more feasible for education"?

David A. Mattox
Manager of Systems Operations
Millsaps College
Direct (601) 974-1149
@MillsapsITS
Guru Elite

Re: Which "Popular" certificate authority (CA) included in most devices

Onboard is now licensed per user instead of per device.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Which "Popular" certificate authority (CA) included in most devices

And that still makes it quite expensive. With Access license we only need about 50% of our student population covered since they never come to the campus on the same time. With onboard license (already costs 50% more than a Access license) they count as long as their certificate hasn't expired so you need 100% covered at least. Also there's some student overlap at the beginning off a new year (old certs aren't expired yet and new students are coming in). So in practice you need the have like 120% of your average student count covered. You could solve this by renewing and expiring certs extremely fast, but do you want this?

Also as I mentioned you need some extra efford to support onboard with your users. Some setups on student laptops are quite challenging .

Super Contributor I

Re: Which "Popular" certificate authority (CA) included in most devices

The issue I found with Onboard (which may have been fixed by now) is that after onboarding macOS devices, the user still has to do something – specifically, bounce the Wi-Fi adapter. This can be easily solved by packaging mac onboarding as an app instead of only using the .mobileconfig approach. FWIW, we found a much less expensive and more extensible option with a third-party. PM me if you want details.

- Ryan -
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Occasional Contributor II

Re: Which "Popular" certificate authority (CA) included in most devices

Was thinking the same thing - this could get very costly and out of hand quickly.

David A. Mattox
Manager of Systems Operations
Millsaps College
Direct (601) 974-1149
@MillsapsITS
Guru Elite

Re: Which "Popular" certificate authority (CA) included in most devices

1) There are no hard license caps in ClearPass 6.7

2) It is very easy to revoke certificates via the REST API when a student is no longer active

3) From what our cusotmers have told us, they deal with more issues with supporting legacy EAP methods like PEAP than they do with assisted Onboarding.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: