Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

OnBoard device identity check

This thread has been viewed 0 times

  • 1.  OnBoard device identity check

    Posted Nov 07, 2016 11:13 PM

    Hello,

     

    This is probably a silly question, but is there a secuirty risk with OnBoard where a malicious user can extract a client certificate from an already provisioned device and upload it into their device to gain access? If so what is the best way to guard against this?

     

    Thank you

     

     



  • 2.  RE: OnBoard device identity check

    Posted Nov 08, 2016 06:00 AM

    Hi,

     

    In the default EAP-TLS authentication method the "Authorization Required" setting is enabled. This means that the client must also pass user credentials to successfully authenticate.

    tls aith auth.jpg

     

    Cheers

    James



  • 3.  RE: OnBoard device identity check

    EMPLOYEE
    Posted Nov 08, 2016 08:01 AM
    Onboard certificates are marked as non-exportable so it would be very
    difficult to export the certificate.



    You can layer on profiling conflict checks as well as potentially do a MAC
    check against the MAC address embedded in the cert. Remember that the
    certificate takes the place of only the password. You should leverage the
    authorization phase to look at other information about the device and user.