Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Onboard Machine and User authentication

This thread has been viewed 3 times

  • 1.  Onboard Machine and User authentication

    Posted Sep 21, 2017 03:40 PM

    Hi guys,

     

    today I was in a POC with a customer who has no Microsoft AD. So we came to a point to use Onboard to get certificates and profiles on the clients. Everything works fine. 

    At the end of the day the customer was asking if it is posible to create a onboarding configuration for windows clients which activates the machine or user authentication. I know we can do this by hand, but we have 300+ clients, so thats not an option.

     

    Thanks for your thoughts and help!



  • 2.  RE: Onboard Machine and User authentication

    Posted Sep 21, 2017 04:18 PM
    Are they planning to use Active Directory in the future? So they can use User / Machine auth.

    If they do plan to do that then all you have to do is create/push a Group Policy that will configure that for the Windows Domain Device.

    Onguard doesn't have that option but Onboard does.


  • 3.  RE: Onboard Machine and User authentication

    Posted Sep 21, 2017 04:18 PM
    Are they planning to use Active Directory in the future? So they can use User / Machine auth.

    If they do plan to do that then all you have to do is create/push a Group Policy that will configure that for the Windows Domain Device.

    Onguard doesn't have that option but Onboard does.


  • 4.  RE: Onboard Machine and User authentication

    Posted Sep 21, 2017 04:26 PM
    I can‘t believe that it happend again!! ;-)
    Of course I meant ONBOARD and Not ONGUARD.

    The customer is not planning to move to a Microsoft AD environment.
    I know very well that all will be easy as hell with a GPO but that‘ll not happen.

    So there is no way to get this config with onboard?


  • 5.  RE: Onboard Machine and User authentication

    EMPLOYEE
    Posted Sep 27, 2017 10:51 AM

    The short story is that you can only have computer accounts with AD in place, as these accounts are created in/by AD.

     

    If your goal is to Onboard devices that can be used by multiple Windows users (local accounts ;-), you can configure in the Network Settings that the credentials should be stored in the machine account of your client:

    machine-auth.pngThat will allow multiple users to use the same computer. The Onboard certificate (identity of the requester) will be bound to the computer instead of the account on the computer.

     

    Please note that for pushing certs in the Machine account, you will need local administrator privileges.

    And you still need to re-onboard all your devices, which might be automated by creating a new CA, check if the cert is from the old CA and redirect in that case to the onboarding page where you Onboard with a certificate from the new CA.