In the past, the single SSID onboarding was the preferred way, since a few years and changes to Apple IOS and Android, the dual SSID onboarding is recommended. With Dual SSID you trigger the onboarding from another SSID, like the Guest SSID, and have the corporate SSID configured with the client certificate as credentials.
About the certificate validity time and the renewal process, I think these are connected. There is no fully automated renewal, the user should go through the enrollment process again. I would make the certificate expiration a few months longer than you want the certificate to be renewed. With that, you can check in your policy if there is an amount of validity remaining, and if it is less than let's say 6 months, you can do a redirect to a page asking the user to renew the certificate and with a link to the Onboarding page. If you let the certificate expire, it can't be used to authenticate anymore and you can't send any instructions in a captive portal. You can do 1.5 year validity if you want to allow the certificate for 1 year, and have 6 months for the user to connect and renew the certificate. You can also configure ClearPass to send out reminder e-mails to users that have expiring certificates.
Best to get to an agreement with the stakeholders on what is the balance between secure (short validity) and usability (as long as possible validity). This also depends on what your users have access to with that certificate. If it is just internet access, the lifetime can be longer as there is less risk versus providing full internal access (which is not recommended in most cases anyway for unmanaged devices).
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Feb 19, 2021 11:19 AM
From: Ed Carlos Alves de Deus
Subject: Clearpass onboard - What are the best practices?
Hello everyone
I always wonder what are the best practices to make users authenticate in the network in a secure way and have a good experience during the onboard process.
Could you share your experience in making this resource available to users?
Once users are on board, how does the user certificate renewal process work? Should the user perform the onboarding again?
Is there a way to automate the renovation process?
What is a good period for the validity of the user's certificate?
Thank you