Security

Reply
Contributor II

Onboard Machine and User authentication

Hi guys,

 

today I was in a POC with a customer who has no Microsoft AD. So we came to a point to use Onboard to get certificates and profiles on the clients. Everything works fine. 

At the end of the day the customer was asking if it is posible to create a onboarding configuration for windows clients which activates the machine or user authentication. I know we can do this by hand, but we have 300+ clients, so thats not an option.

 

Thanks for your thoughts and help!

Re: Onguard Machine and User authentication

Are they planning to use Active Directory in the future? So they can use User / Machine auth.

If they do plan to do that then all you have to do is create/push a Group Policy that will configure that for the Windows Domain Device.

Onguard doesn't have that option but Onboard does.
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: Onguard Machine and User authentication

Are they planning to use Active Directory in the future? So they can use User / Machine auth.

If they do plan to do that then all you have to do is create/push a Group Policy that will configure that for the Windows Domain Device.

Onguard doesn't have that option but Onboard does.
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II

Re: Onguard Machine and User authentication

I can‘t believe that it happend again!! ;-)
Of course I meant ONBOARD and Not ONGUARD.

The customer is not planning to move to a Microsoft AD environment.
I know very well that all will be easy as hell with a GPO but that‘ll not happen.

So there is no way to get this config with onboard?

Re: Onguard Machine and User authentication

The short story is that you can only have computer accounts with AD in place, as these accounts are created in/by AD.

 

If your goal is to Onboard devices that can be used by multiple Windows users (local accounts ;-), you can configure in the Network Settings that the credentials should be stored in the machine account of your client:

machine-auth.pngThat will allow multiple users to use the same computer. The Onboard certificate (identity of the requester) will be bound to the computer instead of the account on the computer.

 

Please note that for pushing certs in the Machine account, you will need local administrator privileges.

And you still need to re-onboard all your devices, which might be automated by creating a new CA, check if the cert is from the old CA and redirect in that case to the onboarding page where you Onboard with a certificate from the new CA.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: