Security

Guys,

 

We've done clearpass onboarding where the user will onboard their BYOD devices by themselves.

 

But if onboarding is to be done only by an IT administrator (not by employees), whats the recommended way to inform users about this?

 

Lets say if an user connects to onboard SSID by EAP-PEAP, he is assigned a role 'Need_Onboard', so he should be informed now something like 'Please contact your IT admin for gaining access to your network'.

 

How is that accomplished?

 

Thanks,

Bharani..

You should be able to do this by creating a new web page on CPPM that basically provides instructions to the user; informing them that they need to contact IT.   This can be created under Guest/Web Logins.    Then assign a captive portal profile (and policies) to the  "Need_Onboard" role that directs them to this new web login page.

On that "needs Onboard" role and captive portal, you can even present a form that would be emailed to the IT helpdesk or administrator which would keep a record of who and what device was requesting access.  

Hello guys,

 

Thank you for the reply. 

 

Re-directing the user (with Need-Onboard) role to a webpage 'Contact IT admin' sounds good.

 

But after this, if that employee goes to IT admin for onboarding, still IT admin will be having 'Need-Onboard' role during his onboard pre-provisioning right?

 

How can I differentiate whether user is attempting onboarding or IT-admin attempting the onboarding?

How about a provisioning ssid with a PSK?

Sent from my iPhone

You going to have to chose what works best for the employees.

 

1. Have a open ssid where the first page is a login page where the IT admin must put in their credentials before the device can be provisioned.

 

2. Allow the uses to provision their own devices and put a limit of one device per username.

 

3. As Seth suggested put up a SSID in the IT area only that is PSK so provisioning can only be done in a specified area.

 

4. If the devices are only PCs then you could also only provision over the wired and OnBoarding will provision both wired and wireless.

 

Remember that the certs you will get will be based on the username that you use to provision so you will need to have the user put in their credentials if you want the device tied to the user.

Hi Troy,

 

That's simply awesome! This is exactly what we want!!

 

Just love this community forum and the way you guys help us!!! Thank you!!

 

Thanks,

Bharani..

Hey guys,

Also I would like to check on this.

We are using EAP-TLS (using certificates) for authentication after onboarding. We've added Onboard repository as auth source in 802.1x aruba wireless service as well.

The enforcement policy will be like:

1. If authentication outer method equals EAP-TLS, then enforcement profile is 'already onboarded'

2. If authentication source equals Onboard repository, then enforcement profile is 'already onboarded'

But everytime only 1st condition is successful, 2nd condition is not successful after onboarding also.

CPPM always choosing 'AD' as our auth source not our Onboard repository.

Why is that?

Thanks,
Bharani..

Clearpass always works from the top down and if it found the user that the cert is assigned to it will always go with the AD as an authen source.

 

In my enforcement Im just checking to see what ad role the user has and does it auth with TLS. All others go to onboarding.

 

 

Here is a sample of my production service.

 

 

 

 

 

Another wonderful explanation! Thank you.

 

So, am I correct to say if I use EAP-PEAP (after onboarding) instead of EAP-TLS (lets say iOS devices), Onboard_repository will be considered as one of the auth sources?

 

Regards,

Bharani...

I never use it as a sole authn source I typically use it as an authz source as an and condition for role mapping or enforcement.

Got it Troy.

 

We are configuring onboarding for wireless users in CPPM 6.2.2 with Aruba WLC A3400.

 

1. But after configuring provisioning settings in clearpass onboard, and tried to test it out, we find the onboard URL is looking wrong. It should be ‘https://ip-address-of-cppm/guest/device_provisioning3.php’ right? But instead, it’s likehttps://hostname-of-cppm/onboard/ device_provisioning3.php and the webpage is not displayed. Please see the attached (first 2) pictures.
   
   
2. Also, found a weird issue that windows and iOS 6 devices cannot even able to redirect to onboard page but iOS 7 can redirect but failed with invalid server certificate (Invalid_server_Cert.png) as attached in the pic.

 

Could you please advise on these issues?