Security

Reply
Contributor II

Clearpass Onboarding by IT admins only, not by employees

Guys,

 

We've done clearpass onboarding where the user will onboard their BYOD devices by themselves.

 

But if onboarding is to be done only by an IT administrator (not by employees), whats the recommended way to inform users about this?

 

Lets say if an user connects to onboard SSID by EAP-PEAP, he is assigned a role 'Need_Onboard', so he should be informed now something like 'Please contact your IT admin for gaining access to your network'.

 

How is that accomplished?

 

Thanks,

Bharani..

Aruba

Re: Clearpass Onboarding by IT admins only, not by employees

You should be able to do this by creating a new web page on CPPM that basically provides instructions to the user; informing them that they need to contact IT.   This can be created under Guest/Web Logins.    Then assign a captive portal profile (and policies) to the  "Need_Onboard" role that directs them to this new web login page.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Re: Clearpass Onboarding by IT admins only, not by employees

On that "needs Onboard" role and captive portal, you can even present a form that would be emailed to the IT helpdesk or administrator which would keep a record of who and what device was requesting access.  

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II

Re: Clearpass Onboarding by IT admins only, not by employees

Hello guys,

 

Thank you for the reply. 

 

Re-directing the user (with Need-Onboard) role to a webpage 'Contact IT admin' sounds good.

 

But after this, if that employee goes to IT admin for onboarding, still IT admin will be having 'Need-Onboard' role during his onboard pre-provisioning right?

 

How can I differentiate whether user is attempting onboarding or IT-admin attempting the onboarding?

Re: Clearpass Onboarding by IT admins only, not by employees

How about a provisioning ssid with a PSK?

Sent from my iPhone
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Aruba

Re: Clearpass Onboarding by IT admins only, not by employees

You going to have to chose what works best for the employees.

 

1. Have a open ssid where the first page is a login page where the IT admin must put in their credentials before the device can be provisioned.

 

2. Allow the uses to provision their own devices and put a limit of one device per username.

 

3. As Seth suggested put up a SSID in the IT area only that is PSK so provisioning can only be done in a specified area.

 

4. If the devices are only PCs then you could also only provision over the wired and OnBoarding will provision both wired and wireless.

 

Remember that the certs you will get will be based on the username that you use to provision so you will need to have the user put in their credentials if you want the device tied to the user.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II

Re: Clearpass Onboarding by IT admins only, not by employees

Hi Troy,

 

That's simply awesome! This is exactly what we want!!

 

Just love this community forum and the way you guys help us!!! Thank you!!

 

Thanks,

Bharani..

Contributor II

Re: Clearpass Onboarding by IT admins only, not by employees

Hey guys,

Also I would like to check on this.

We are using EAP-TLS (using certificates) for authentication after onboarding. We've added Onboard repository as auth source in 802.1x aruba wireless service as well.

The enforcement policy will be like:

1. If authentication outer method equals EAP-TLS, then enforcement profile is 'already onboarded'

2. If authentication source equals Onboard repository, then enforcement profile is 'already onboarded'

But everytime only 1st condition is successful, 2nd condition is not successful after onboarding also.

CPPM always choosing 'AD' as our auth source not our Onboard repository.

Why is that?

Thanks,
Bharani..
Aruba

Re: Clearpass Onboarding by IT admins only, not by employees

Clearpass always works from the top down and if it found the user that the cert is assigned to it will always go with the AD as an authen source.

 

In my enforcement Im just checking to see what ad role the user has and does it auth with TLS. All others go to onboarding.

 

 

Here is a sample of my production service.

 

screenshot_01 Oct. 22 00.24.gif

 

screenshot_02 Oct. 22 00.25.gif

 

screenshot_03 Oct. 22 00.25.gifscreenshot_04 Oct. 22 00.25.gif

 

screenshot_05 Oct. 22 00.25.gif

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II

Re: Clearpass Onboarding by IT admins only, not by employees

Another wonderful explanation! Thank you.

 

So, am I correct to say if I use EAP-PEAP (after onboarding) instead of EAP-TLS (lets say iOS devices), Onboard_repository will be considered as one of the auth sources?

 

Regards,

Bharani...

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: