Security

Reply
Frequent Contributor I
Posts: 270
Registered: ‎09-24-2010

Certificate based authentication

Currently we are running Clearpass with mobility controllers at our branch offices.  We are using PEAP for the company owned laptops to connect.  We require an active directory username/pass in order to connect.  The problem is, personal devices are able to connect to the company wifi as long as the employee has a username/pass.  we are looking for a way for the laptops to connect (cert maybe?) AND company smart devices but not personal devices to connect (laptop or smart device).  also dont want the employees to have to enter their creds.  We have tested Airwatch/Clearpass integration and only allowed Airwatch enrolled smart devices to connect, however we are moving away from Airwatch so this wont work.  we have also tested Onboarding but that requires the user to enter username/pass??  is there a way for the users to conveniently connect but securely???

Guru Elite
Posts: 21,267
Registered: ‎03-29-2007

Re: Certificate based authentication

Onboarding requires an Initial username and password.  After that, the certificate can be used.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,636
Registered: ‎09-08-2010

Re: Certificate based authentication

You can use machine authentication on the laptop side which will only allow devices on that authenticate with their machine account to the domain.

 

For mobile devices, you still need an authoritative source of what is corporate owned and what is not. Are you moving to another MDM?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 270
Registered: ‎09-24-2010

Re: Certificate based authentication

Yes, MS Intune

Guru Elite
Posts: 8,636
Registered: ‎09-08-2010

Re: Certificate based authentication

OK, then you can manually mark the corporate devices in the endpoints repository or possibly export a list out of InTune.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 270
Registered: ‎09-24-2010

Re: Certificate based authentication

we were thinking that but we would have to touch every device.

Guru Elite
Posts: 8,636
Registered: ‎09-08-2010

Re: Certificate based authentication

How do the corporate devices get distributed?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 270
Registered: ‎09-24-2010

Re: Certificate based authentication

we push profiles via Airwatch

Frequent Contributor I
Posts: 270
Registered: ‎09-24-2010

Re: Certificate based authentication

we come to terms and are ok with an intitial prompt for username/pass but how can we avoid AD users connecting with their personal devices?  currently, we have the provisioning profile configured for an allowed AD group.

Guru Elite
Posts: 8,636
Registered: ‎09-08-2010

Re: Certificate based authentication

You would need some type of authorization source in ClearPass to determine
corporate vs personal.



Some options:

- Manual endpoint updates

- Information from MDM

- SQL connection to asset database

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: