Security

Hi,

I'm having difficulty to come up with a solution for onboarding wired devices (mostly Windows 10 hosts). One of the common way is to first authenticate them with PEAP, and then let ClearPass return the URL for the switch to redirect users to onboard page. But my environment uses Azure AD and we don't want to join ClearPass to this AD, which makes PEAP-MSCHAPv2 isn't possible. 

So, is there any other way to automatically redirect wired devices to onboard page, and after they've been provisioned we'll let them authenticate with EAP-TLS?

Any ideas are greatly appreciated.

Regards,

Hi,

as you have mentined you don't want to join CP to Azure AD, so you really are limiting your options, as you still need a way to authenticated the devices prior to onboarding.

an option could be wired enforcement with captive portal then use SAML SSO to authenticate the user to ADFS (or another SAML provider).

Hi matthew,

I'm using ArubaOS switch, and I see that it has the option to specify multiple authentication methods on the port (802.1X, MAC auth, captive portal). But if we set 802.1X first and then captive portal, the users would have to fail 802.1X before being able to fallback to captive portal, which is not very good in terms of user experience. And if we set captive portal first, they might be redirected every time the port comes up, and not being able to authenticate by EAP-TLS. 

That's what I understand about ArubaOS switch's behavior, and I'm afraid it may not work that way. Am I missing something?

Regards,

yes the user would fail auth, but as you are not wanting to join AD your options are very limited.

Hi Tim,

I think for that to work we need to configure both 802.1X and captive portal on the switch port, with captive portal as the fallback. And the user would have to fail 802.1X first before captive portal and the onboard process get applied. Correct?