Security

Reply
Frequent Contributor I

Clearpass Onboarding Clarification

Hi All,

 

I have some queries regarding Onboarding for which i need some help.

 

1. If i am authenticating the clients using 802.1x either from AD or from clearpass internel repositry, then why i need onboarding. As i see we are puting extra burden on the User to download the certificate after re-authentication. OR i can say this is an extra layer of security. Is it right?

 

2. What will be happened if the user reset his device and again he want to connect. The same procedure he will follow for onboarding or no need becasue he onboard hi device before.

 

3. What is the big advantage of onboarding the device.

Aruba Employee

Re: Clearpass Onboarding Clarification

Hi Waseem,

 

If you onboard the deivce, users dont need to enter credentails everytime (only during boarding the device it prompts to enter credentials). It uses EAP-TLS protocol and use server and client certificates to authenticate.

 

It is very secure way of connecting the deivces to network. During Onboarding, ClearPass push the device enrollement profile to all your devices which contain complete network information.

 

User will able to connect to the network until the certificate is valid.

 

Follow below article to Onboard device

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/SIngle-SSID-Onboard-using-Aruba-Controller/ta-p/192371

 

http://community.arubanetworks.com/t5/tkb/articleprintpage/tkb-id/AAANACGuestAccessBYOD/article-id/296

 

 

Regards,

Pavan

Aruba Employee

Re: Clearpass Onboarding Clarification

If user reset his device, then he need to go through onboarding process again, since reset will remove onboard profile information

MVP

Re: Clearpass Onboarding Clarification

Good points mentioned already so i'll just add a few things..

 

1. Security.

a) AD username/password isn't stored locally on the device...

b) IT-dept often has to avoid locking an account due to wrong password since users often ignore the "enter passord" on their mobile devices, thus locking their accounts. With Certificates the normal security process can be kept.

c) Enforce certificate auth for devices that need that extra level of access. We see that tablets and bigger mobile devices require more access - with Onboard you can enforce some more device security (like pincode) for this.

 

It is for sure a burden on the user, but it's really not a big deal. We have customers who have lots of IT-ignorant users still being able to go through onboarding process. Just involve some users in your user-testing/documentation to ensure that you do it in a way your company can handle. When "beta"-testing - adjust the default expiration and alerts to something low enough so they get the expiration warning and see how that goes.

 

2. The profile and certificate is stored locally on the device. After a wipe the user have to go through the Onboarding process. Make sure your process is water-tight ;) 

 

3. Look at nr 1. If you don't have a problem with user/password security, IT-dept getting clogged with password problems each month and such then Onboard might not be for you.


Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Guru Elite

Re: Clearpass Onboarding Clarification

Legacy authentication methods like PEAPv0/EAP-MSCHAPv2 and EAP-TTLS have serious security implications when clients are not pre-configured for the network. In a BYOD environment, this is nearly every device.

 

EAP-TLS is the only recommended secure authentication method. ClearPass Onboard provides the user friendly workflow to issue the device a certificate and provides lifecycle management and role based access controls.

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Clearpass Onboarding Clarification

Thanks Tim Cappalli, John Solberg and Pavan,

 

Your replys were very helpful and i understand well. Simply i can say it is like we are pushing profile in iOS device for EAP-SIM and whenever we enter to the coverage zone we connect automatically. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: