Security

We are working on deploying onboarding for one of our departments. BYOD is not going to be supported. Rather, select help desk staff are going to pre-auth with their accounts to initiate the onboarding process. (We're going to capture the end user's username on the same web form, but unrelated to this question.)

 

If helpdeskagent1 uses their account and onboards a device, that device is now using EAP-TLS with username=helpdeskagent1. What happens when helpdeskagent1 account is expired/deleted/etc bc that person is no longer employed? Will all devices onboarded by helpdeskagent1 then fail authentication? How does this work?

Would it possible to just add certain users in a particular AD group to be allowed to onboard themselves and limiting the amount of devices that the user can onboard (Unique Devices)

Or Allow the helpdesk to issue the certificates manually to each device

Thanks for the reply, but what I'm after is the answer to what happens to that certificate if the account that created is disabled/expired in Active Directory. This is a clearpass-owned certificate. AD is authentication source for the 802.1X EAP-TLS service. What would happen in this scenario?

It will still be able to authenticate (which is what you are looking for ?)

But in case you wouldn't that you could add an additional attribute to look for in AD to prevent an expired or disabled account to connect when using EAP-TLS

Get Outlook for iOS

For whomever is seeking the answer in addition to me, the answer is that no, the user will NOT be able to authenticate with the certificate, as the name on the cert is first checked in AD. If the account doesn't exist anymore, the certificate authentication never is attempted.

If you disable authorization in the EAP-TLS method, it should still work.