10-06-2015 04:32 AM
understand that most people implement onboard for BYOD, can it be implemented for wired connection as well? For wireless, the client will be redirected to a portal and key in the credential and the cert will be pushed down to the device. Is it the same for wired connection? Is there any guide for this?
How can I implement onboard for 802.1x enabled printer? what is the the procedure? Does the printer need to create a CSR? or simple just gen the client cert from onboard and upload to the printer?
Please advise. Thanks
10-06-2015 04:37 AM
In terms of wired onboard, you just need to enable the wired options in the provisioning profiles.
10-06-2015 04:38 AM
The purpose of onboard is to automate delivery of a unique credential (most times an EAP-TLS certificate) to a device. Since a printer does not typically have a human operating it, you would just generate an EAP-TLS certificate and upload it to the printer, and that can be done with your own CA. In my experience, putting an EAP-TLS certificate on a printer is a very difficult thing to get done, and you should consult the manufacturer to see exactly what steps need to be done to make this successful. You also have to consider what needs to be done when all the certificates on your printers expire...
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
10-06-2015 05:03 AM - edited 10-06-2015 05:07 AM
thanks for the quick reply. I am getting a bit confused.
So do I need to do the full CSR process on clearpass? Doing a full CSR means that I need the printer to do a CSR and to be signed by clearpass? Or no CSR is needed from the printer, just the CA (clearpass in my case) to generate the cert and import to the printer? And so in what situation would a CSR be needed?
My setup is such that my CPPM radius server is signed by the root CA, this caters for a group of users. I have another group of users to be onboarded by the clearpass CA. How can it be done? Where does the CA resides in clearpass? Is it in CPPM or Onboard? I assumed it's at Onboard? Means I need to create root CA in onboard and after that I need to download the root ca and let it be trusted in CPPM? Is my concept right? because I know that CPPM can only do one CSR right?
10-06-2015 05:11 AM
Not sure I'm following your second question. The radius server certificate does not have to be from the same CA as the client certificate.
10-06-2015 05:27 AM - edited 10-06-2015 05:29 AM
i am right to say that I will just go into onboard settings and create a 'client' cert for the printer and upload to the printer?
if so, that's the difference between create a 'client' cert in the CA (clearpass) and do a CSR?
10-06-2015 06:26 AM
10-06-2015 06:40 AM
another question, shouldn't be it be the same as laptop user? as this is often pushed down by GPO, i have no visiblity. from laptop we only see user cert and root ca cert. where can we find the private key? having said that if i were to do manual import of cert to the laptop, i will need to import these 3 items too?