Security

Hello everyone

I always wonder what are the best practices to make users authenticate in the network in a secure way and have a good experience during the onboard process.

Could you share your experience in making this resource available to users?

Once users are on board, how does the user certificate renewal process work? Should the user perform the onboarding again?
Is there a way to automate the renovation process?

What is a good period for the validity of the user's certificate?

Thank you

In the past, the single SSID onboarding was the preferred way, since a few years and changes to Apple IOS and Android, the dual SSID onboarding is recommended. With Dual SSID you trigger the onboarding from another SSID, like the Guest SSID, and have the corporate SSID configured with the client certificate as credentials.

About the certificate validity time and the renewal process, I think these are connected. There is no fully automated renewal, the user should go through the enrollment process again. I would make the certificate expiration a few months longer than you want the certificate to be renewed. With that, you can check in your policy if there is an amount of validity remaining, and if it is less than let's say 6 months, you can do a redirect to a page asking the user to renew the certificate and with a link to the Onboarding page. If you let the certificate expire, it can't be used to authenticate anymore and you can't send any instructions in a captive portal. You can do 1.5 year validity if you want to allow the certificate for 1 year, and have 6 months for the user to connect and renew the certificate. You can also configure ClearPass to send out reminder e-mails to users that have expiring certificates.

Best to get to an agreement with the stakeholders on what is the balance between secure (short validity) and usability (as long as possible validity). This also depends on what your users have access to with that certificate. If it is just internet access, the lifetime can be longer as there is less risk versus providing full internal access (which is not recommended in most cases anyway for unmanaged devices).



------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Feb 19, 2021 11:19 AM
From: Ed Carlos Alves de Deus
Subject: Clearpass onboard - What are the best practices?

Hello everyone

I always wonder what are the best practices to make users authenticate in the network in a secure way and have a good experience during the onboard process.

Could you share your experience in making this resource available to users?

Once users are on board, how does the user certificate renewal process work? Should the user perform the onboarding again?
Is there a way to automate the renovation process?

What is a good period for the validity of the user's certificate?

Thank you

Best practices and points to remember while deploying user and machine auth using Clearpass. Objective. Windows Domain PC. Manually defined Corporate Device. Individual Endpoint editing. This is self-explanatory. Bulk Endpoint editing. Automatic registration. Other Managed Device Databases.The ClearPass Onboard portal dynamically detects a device's operating system and guides the user through the appropriate steps.  ClearPass Onboard also increases the amount of usable context for troubleshooting user- and device-based policies and compliance reporting per device.
tellpizzahut
------------------------------
Dean Dean
------------------------------

Original Message:
Sent: Feb 19, 2021 11:19 AM
From: Ed Carlos Alves de Deus
Subject: Clearpass onboard - What are the best practices?

Hello everyone

I always wonder what are the best practices to make users authenticate in the network in a secure way and have a good experience during the onboard process.

Could you share your experience in making this resource available to users?

Once users are on board, how does the user certificate renewal process work? Should the user perform the onboarding again?
Is there a way to automate the renovation process?

What is a good period for the validity of the user's certificate?

Thank you

Not really following you here. Managed devices are not in scope for ClearPass Onboard assisted provisioning.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Feb 21, 2021 10:48 PM
From: Dean Dean
Subject: Clearpass onboard - What are the best practices?

Best practices and points to remember while deploying user and machine auth using Clearpass. Objective. Windows Domain PC. Manually defined Corporate Device. Individual Endpoint editing. This is self-explanatory. Bulk Endpoint editing. Automatic registration. Other Managed Device Databases.The ClearPass Onboard portal dynamically detects a device's operating system and guides the user through the appropriate steps.  ClearPass Onboard also increases the amount of usable context for troubleshooting user- and device-based policies and compliance reporting per device.

------------------------------
Dean Dean

Original Message:
Sent: Feb 19, 2021 11:19 AM
From: Ed Carlos Alves de Deus
Subject: Clearpass onboard - What are the best practices?

Hello everyone

I always wonder what are the best practices to make users authenticate in the network in a secure way and have a good experience during the onboard process.

Could you share your experience in making this resource available to users?

Once users are on board, how does the user certificate renewal process work? Should the user perform the onboarding again?
Is there a way to automate the renovation process?

What is a good period for the validity of the user's certificate?

Thank you