Security

Hi all,

I have a case with secure provisioning method using clearpass.

My client worried with the provisioning method where we still need to enter ad credential in order to get the tls certificate from clearpass.

The case is there is a possibility where we connected to the rogue ap ssid and the attacker can get out ad credential.

As i know clearpass onboard can only integrate with few mfa solution like duo and kasada, and that kind of mfa solution is not acceptable since its not the popular mfa provider

Is there any best practice for secure byod provisioning using clearpass onboarding?

You should always use dual SSID Onboarding and integrate with your existing unified login workflow (SSO).

Hi tim

If we use dual ssid, lets say im using the existing open guest ssid for onboarding process. Dont we still need to fill ad credential to be able to download the quickconneft?

Of course. How else would you validate the user? You should leverage your existing single sign on workflows for this.

like i said, there is the possibility that the user connected to a rogue AP and provide them the AD credential. for integration with existing SSO, any link related to this?

 

i am thinking about another workflow for secure onboard provisioning:

 

let say the user first complete guest registration like any other guests do. After that they will sign in using the credential sent to their email.

 

After this, Clearpass will use two different workflow for guest and BYOD by checking the email domain entered in the guest registration. If the domain is the user corporate domain, letsay xyz.com, then clearpass will redirect the user to onboarding portal, otherwise they will automatically get internet access. This will ensure the user to fill AD credential on onboarding portal to the correct corporate WLAN

 

can we do this?

How are you preventing these concerns for ANY other web-based login in your environment?

 

The recommended Onboard flow is:

1. User connects to your guest network
2. User clicks the Onboard button
3. User is taken to your SSO / unified login portal (which should be using an EV certificate for ease of verification)
4. User logs in and is challenged to an MFA
5. User performs MFA task and is redirected back to the Onboard portal to be issued their certificate.

 

I'm not really following how your proposed workflow works / solves anything.

Hi tim 

 

The recommended Onboard flow is:

1. User connects to your guest network
2. User clicks the Onboard button
3. User is taken to your SSO / unified login portal (which should be using an EV certificate for ease of verification)
4. User logs in and is challenged to an MFA
5. User performs MFA task and is redirected back to the Onboard portal to be issued their certificate.

Thank you!, i will check with the user with this SSO integration possibility

 

 

 

 

But how do they get the guest credential? What's to stop a guest from getting an account?


Doesn't make any sense. Please use the recommended workflow.

Hi tim

 

But how do they get the guest credential? What's to stop a guest from getting an account?

 

By using sponsor approval? 

we can set the all guest (including BYOD user) to fill their PIC for sponsol approval and limited to the corporate xyz.com email domain. For BYOD case, they can fill their own corporate email as their sponsor and approve it by themself, then they will get the credential sent to their email. If they enter their corporate email for their identity in the guest registration, they will be redirected to onboard, otherwise they will only get ordinary guest rule which is internet access only and not being redirected to onboarding.

 

 

I guess, but then you're going to have guest user accounts for all your employees. Seems very counter intuitive.

yes yes correct, it doesn't make sense

 

i will try with the best practice as you described above,

 

and if not possible maybe thats when the wips solution will come into play