Security

I am in the midst of setting up Onboard for my wired 802.1x environment.

 

In order to enable 802.1x on Windows clients, I have deployed a GPO that turns on Wired AutoConfig and configures the 802.1x service to use EAP PEAP as authentication.

 

When trying to Onboard a client, the QuickConnect provisioner needs to change the 802.1.x config to EAP TLS, however, due to the GPO, the 802.1x settings cannot be changed and QuickConnect fails to properly provision the client.

 

Has anyone else run into the same situation and what was your solution?

Were you able to still enable and configure 802.1x settings via GPO and somehow have QuickConnect provisioner update to EAP TLS when Onboarding?

You should consider removing the GPO and instead redirecting the device to the Onboarding Captive Portal page.

I would recommend to use ADCS and Cert autoenrollment if you are planning on deploying certificates for Windows Domain devices

Onboarding is meant to be use for BYOD

Sent from Mail for Windows 10

So I need the Windows workstations to have Wired Autoconfig service set to auto start, as by default it is a manual start service.

 

And I also need clients to have 802.1x configured for EAP-PEAP that will not be Onboarding.

 

Would I just be better off manually applying the 802.1x settings on the Windows client?

Yes, the supplicant needs to be configured via your management platform.

 

CPPM Onboard Assisted Provisioning is not supported for managed devices.

Thank you, that seems to put this in order for me.

 

At the current stage of our deployment, its wired 802.1x for domain machines and MAC Auth for networked devices. We also plan on deploying OnGuard for 802.1x posture checks. OnBoard doesn't seem to have any use in our intended setup based on what you've explained.