Security

Good Morning friends,

I am seeking information in regard to ClearPass and Chromebooks.
Our district over the years has adopted the use of Chromebooks.  When these devices first arrived a unique AD ID was assigned to each Chromebook in order for that specific Chromebook device to authenticate via EAP-PEAP and then placed in a specific VLAN and role on campus wireless controllers. 

As we approach 200,000 chromebooks, AD and InfoSec considerations have revealed themselves and we need to investigate certificate based authentication.  All these devices are student devices and an automated solution along with the use of our current Google Admin which all these devices are managed, is desired.  I have begun to research and have engaged our Google Admin team here as well as our Aruba/TAC resources.  I do not want to ever revisit this again for the foreseeable future. 
I seek resources for best practices to continue to investigate to determine the best permanent solution. Like everyone out there we have a unique network.  Onboarding is in use for Staff devices only. Our guest network is secured allowing for captive portal and google play store access only.  Once onboarded faculty devices are placed in a specific vlan. 

Three use cases have emerged. 
1.  How do we automate current connected chromebooks from EAP-PEAP to Cert based EAP-TLS?
2.  We need Cert and EAP-TLS deployment via manufacturer"pre-enrollment" processes.
3.  Certificates will need to be renewed annually. How do we re-deploy?

Unsure if this helps... You can use Onboard to onboard ChromeOS devices: https://www.arubanetworks.com/techdocs/ClearPass/6.10/Guest/Content/Onboard/ConfigProvisioningSettings_supportedDevices.htm

So if these devices are under the control of the Google Admin Console, this may be your solution. As I don't have access to any Google Workspace account, I have not tried this, so can't tell if it works. If it doesn't help, reach out to your local Aruba SE and ask to help to get in contact with the right people in Aruba who do have experience. If you don't know who to contact, please send me a personal message with your contact details, I may find the right person.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 22, 2021 11:15 AM
From: Kirk Ingersoll
Subject: ClearPass and Chromebooks

Good Morning friends,

I am seeking information in regard to ClearPass and Chromebooks.
Our district over the years has adopted the use of Chromebooks.  When these devices first arrived a unique AD ID was assigned to each Chromebook in order for that specific Chromebook device to authenticate via EAP-PEAP and then placed in a specific VLAN and role on campus wireless controllers. 

As we approach 200,000 chromebooks, AD and InfoSec considerations have revealed themselves and we need to investigate certificate based authentication.  All these devices are student devices and an automated solution along with the use of our current Google Admin which all these devices are managed, is desired.  I have begun to research and have engaged our Google Admin team here as well as our Aruba/TAC resources.  I do not want to ever revisit this again for the foreseeable future. 
I seek resources for best practices to continue to investigate to determine the best permanent solution. Like everyone out there we have a unique network.  Onboarding is in use for Staff devices only. Our guest network is secured allowing for captive portal and google play store access only.  Once onboarded faculty devices are placed in a specific vlan. 

Three use cases have emerged. 
1.  How do we automate current connected chromebooks from EAP-PEAP to Cert based EAP-TLS?
2.  We need Cert and EAP-TLS deployment via manufacturer"pre-enrollment" processes.
3.  Certificates will need to be renewed annually. How do we re-deploy?

For all your above question. I guess you can involve GPO policy from AD to push cert. 
Post then only service change is required in CPPM for authentication method to EAP -TLS making sure you understand the selection process of authentication mechanism is client based.

------------------------------
Siddesh Pawar
------------------------------

Original Message:
Sent: Sep 22, 2021 11:15 AM
From: Kirk Ingersoll
Subject: ClearPass and Chromebooks

Good Morning friends,

I am seeking information in regard to ClearPass and Chromebooks.
Our district over the years has adopted the use of Chromebooks.  When these devices first arrived a unique AD ID was assigned to each Chromebook in order for that specific Chromebook device to authenticate via EAP-PEAP and then placed in a specific VLAN and role on campus wireless controllers. 

As we approach 200,000 chromebooks, AD and InfoSec considerations have revealed themselves and we need to investigate certificate based authentication.  All these devices are student devices and an automated solution along with the use of our current Google Admin which all these devices are managed, is desired.  I have begun to research and have engaged our Google Admin team here as well as our Aruba/TAC resources.  I do not want to ever revisit this again for the foreseeable future. 
I seek resources for best practices to continue to investigate to determine the best permanent solution. Like everyone out there we have a unique network.  Onboarding is in use for Staff devices only. Our guest network is secured allowing for captive portal and google play store access only.  Once onboarded faculty devices are placed in a specific vlan. 

Three use cases have emerged. 
1.  How do we automate current connected chromebooks from EAP-PEAP to Cert based EAP-TLS?
2.  We need Cert and EAP-TLS deployment via manufacturer"pre-enrollment" processes.
3.  Certificates will need to be renewed annually. How do we re-deploy?