Security

Currently we are running Clearpass with mobility controllers at our branch offices.  We are using PEAP for the company owned laptops to connect.  We require an active directory username/pass in order to connect.  The problem is, personal devices are able to connect to the company wifi as long as the employee has a username/pass.  we are looking for a way for the laptops to connect (cert maybe?) AND company smart devices but not personal devices to connect (laptop or smart device).  also dont want the employees to have to enter their creds.  We have tested Airwatch/Clearpass integration and only allowed Airwatch enrolled smart devices to connect, however we are moving away from Airwatch so this wont work.  we have also tested Onboarding but that requires the user to enter username/pass??  is there a way for the users to conveniently connect but securely???

Onboarding requires an Initial username and password.  After that, the certificate can be used.

 

we come to terms and are ok with an intitial prompt for username/pass but how can we avoid AD users connecting with their personal devices?  currently, we have the provisioning profile configured for an allowed AD group.

You would need some type of authorization source in ClearPass to determine
corporate vs personal.



Some options:

- Manual endpoint updates

- Information from MDM

- SQL connection to asset database

You can use machine authentication on the laptop side which will only allow devices on that authenticate with their machine account to the domain.

 

For mobile devices, you still need an authoritative source of what is corporate owned and what is not. Are you moving to another MDM?

Yes, MS Intune

OK, then you can manually mark the corporate devices in the endpoints repository or possibly export a list out of InTune.

we were thinking that but we would have to touch every device.

How do the corporate devices get distributed?

we push profiles via Airwatch