Security

last person joined: 2 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Onboard provisioning while using 802.1x GPO

Jump to Best Answer
This thread has been viewed 3 times
  • 1.  Onboard provisioning while using 802.1x GPO

    Posted Mar 19, 2020 01:53 PM

    I am in the midst of setting up Onboard for my wired 802.1x environment.

     

    In order to enable 802.1x on Windows clients, I have deployed a GPO that turns on Wired AutoConfig and configures the 802.1x service to use EAP PEAP as authentication.

     

    When trying to Onboard a client, the QuickConnect provisioner needs to change the 802.1.x config to EAP TLS, however, due to the GPO, the 802.1x settings cannot be changed and QuickConnect fails to properly provision the client.

     

    Has anyone else run into the same situation and what was your solution?

    Were you able to still enable and configure 802.1x settings via GPO and somehow have QuickConnect provisioner update to EAP TLS when Onboarding?



  • 2.  RE: Onboard provisioning while using 802.1x GPO

    Posted Mar 19, 2020 02:10 PM
    You should consider removing the GPO and instead redirecting the device to the Onboarding Captive Portal page.

    I would recommend to use ADCS and Cert autoenrollment if you are planning on deploying certificates for Windows Domain devices

    Onboarding is meant to be use for BYOD

    Sent from Mail for Windows 10


  • 3.  RE: Onboard provisioning while using 802.1x GPO

    Posted Mar 19, 2020 02:19 PM

    So I need the Windows workstations to have Wired Autoconfig service set to auto start, as by default it is a manual start service.

     

    And I also need clients to have 802.1x configured for EAP-PEAP that will not be Onboarding.

     

    Would I just be better off manually applying the 802.1x settings on the Windows client?



  • 4.  RE: Onboard provisioning while using 802.1x GPO
    Best Answer

    Posted Mar 19, 2020 03:05 PM

    Yes, the supplicant needs to be configured via your management platform.

     

    CPPM Onboard Assisted Provisioning is not supported for managed devices.



  • 5.  RE: Onboard provisioning while using 802.1x GPO

    Posted Mar 19, 2020 03:47 PM

    Thank you, that seems to put this in order for me.

     

    At the current stage of our deployment, its wired 802.1x for domain machines and MAC Auth for networked devices. We also plan on deploying OnGuard for 802.1x posture checks. OnBoard doesn't seem to have any use in our intended setup based on what you've explained.