Security

Reply
MVP
Posts: 496
Registered: ‎04-03-2007

Confusion regarding help desk onboarding on behalf of users

We are working on deploying onboarding for one of our departments. BYOD is not going to be supported. Rather, select help desk staff are going to pre-auth with their accounts to initiate the onboarding process. (We're going to capture the end user's username on the same web form, but unrelated to this question.)

 

If helpdeskagent1 uses their account and onboards a device, that device is now using EAP-TLS with username=helpdeskagent1. What happens when helpdeskagent1 account is expired/deleted/etc bc that person is no longer employed? Will all devices onboarded by helpdeskagent1 then fail authentication? How does this work?

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
MVP
Posts: 4,172
Registered: ‎07-20-2011

Re: Confusion regarding help desk onboarding on behalf of users

Would it possible to just add certain users in a particular AD group to be allowed to onboard themselves and limiting the amount of devices that the user can onboard (Unique Devices)

Or Allow the helpdesk to issue the certificates manually to each device
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 496
Registered: ‎04-03-2007

Re: Confusion regarding help desk onboarding on behalf of users

Thanks for the reply, but what I'm after is the answer to what happens to that certificate if the account that created is disabled/expired in Active Directory. This is a clearpass-owned certificate. AD is authentication source for the 802.1X EAP-TLS service. What would happen in this scenario?

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
MVP
Posts: 4,172
Registered: ‎07-20-2011

Re: Confusion regarding help desk onboarding on behalf of users

It will still be able to authenticate (which is what you are looking for ?)

But in case you wouldn't that you could add an additional attribute to look for in AD to prevent an expired or disabled account to connect when using EAP-TLS

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 496
Registered: ‎04-03-2007

Re: Confusion regarding help desk onboarding on behalf of users

For whomever is seeking the answer in addition to me, the answer is that no, the user will NOT be able to authenticate with the certificate, as the name on the cert is first checked in AD. If the account doesn't exist anymore, the certificate authentication never is attempted.

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite
Posts: 8,185
Registered: ‎09-08-2010

Re: Confusion regarding help desk onboarding on behalf of users

If you disable authorization in the EAP-TLS method, it should still work.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: