I have deployed aruba instant + clearpass policy manager on our environment. The clearpass policy manager has been configured radius service, and integrated with existing windows AD. The clients will authenticate with their AD account every time when they connect to the wifi network.
I found that on IOS devices, the client can connect to wifi by just entering their AD credentials. But for android and windows 7 clients, I need to create wifi profile manually on their devices, specifying the auth medod (e.g. EAP-PEAP)and no CA validation. Is there any configuration available on aruba instant or clearpass that I can change so that it can avoid creating Wifi profile on android and windows 7 clients, and connect to wifi network directly just like IOS device does? Thanks.
Thanks very much for your reply. As I know Clearpass onboard provides a same web portal login for clients which guides them to connect to Wifi network, no matter what types of devices they are using. However, our environment must allow users connecting to wifi by just entering their AD credentials, with no other options and web portal login is involved. May I confirm that deploying Clearpass onboard can handle our situation? Thanks.
No, it doesn't and it is a bad idea to use AD credentials (PEAP-MSCHAPv2) in such a situation as the MSCHAPv2 protocol is cracked. Onboard deploys a device unique certificate to overcome that issue.
To understand why client configuration takes so much effort, check this post for some more background.
@timcappalli First off Go Pats, Fellow Bostonian here at a company your would be familiar with.
I don't want to derail this thread but we recently hired a consultant for are CPPM deyployment in support of our wireless initiative. We were directed to go with EAP-PEAP as opposed to EAP-TLS because the organization was not in a position to manage a PKI. I'm now concerned because we would be using MSCHAPv2 authenticating our users via AD. Is the onboard feature a PKI solution?
If you could point me to any documentation that would offer clarity it would be greatly appreciated.
While Onboard does use a PKI, it is not something you have to micromanage like a traditional PKI. You can have ClearPass Onboard configured in less than half hour.
I would recommend reaching out to your Aruba or partner team to discuss a design.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.