There are several, but I'm not in the position to recommend any of them as I don't know them very well. The other tools also are commercial solutions, to there is a similar cost like ClearPass Onboard.
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 13, 2023 08:10 AM
From: Owais101
Subject: AD join with proper username@domain path
Dear Herman
You mentioned similar tool, is there any such tool available except onboard?
Original Message:
Sent: 12/13/2023 8:06:00 AM
From: Herman Robers
Subject: RE: AD join with proper username@domain path
Are these devices under some sort of device management?
If so, probably best to use that.
If not managed, ClearPass Onboard or similar tool would be the most recommended solution.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 13, 2023 07:39 AM
From: Owais101
Subject: AD join with proper username@domain path
Thanks Herman,
Other then mdm, any other way to install certificates on mobile devices?
Original Message:
Sent: 12/13/2023 7:23:00 AM
From: Herman Robers
Subject: RE: AD join with proper username@domain path
For managed devices, Active Directory Group Policies or Mobile Device Management is widely used to enroll client certificates to your clients. Onboard is designed for unmanaged clients, like contractors or BYOD.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 12, 2023 12:00 PM
From: Owais101
Subject: AD join with proper username@domain path
The alternate is EAP-TLS which requires certificate based authentication. Can they do it without using onboard? is it a easy practice to do EAP-TLS without using onboard?
Best Regards
Owais Iqbal
CCIE#37956 | ACDX
Technical Consultant - Aruba Networks
Mob/Whatsapp: +92-321-2960496
Original Message:
Sent: 12/12/2023 8:28:00 AM
From: Herman Robers
Subject: RE: AD join with proper username@domain path
For MSCHAPv2, and access to the password for the user, that is what the domain join is needed for. That access to the password for the user is also exactly the reason why you shouldn't use password authentication for 802.1X. If your customer wants password authentication, you should point them to the fact that they are likely to deploy something that is insecure.
TEAP can use MSCHAPv2 as well, but it's much harder to configure it wrong, but TEAP with MSCHAPv2 requires the AD join as well.
As said, it may be that it just works for the MSCHAPv2 if domains are fully trusted and you join to one of them, but I don't know because it's deprecated for years and I would not suggest doing it at all.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 12, 2023 07:24 AM
From: Owais101
Subject: AD join with proper username@domain path
Dear Herman,
They want to do username/password based authentication using dot1x on aruba wireless. Since it requires Mschapv2, i think we need to join with AD. Can we also do this using Teap and without joining AD?
Original Message:
Sent: 12/12/2023 7:18:00 AM
From: Herman Robers
Subject: RE: AD join with proper username@domain path
You should not need to join Active Directory, unless you need MSCHAPv2 authentication which is deprecated and should be replaced by EAP-TLS or TEAP. The AD join is also only for authentication, and I can imagine that if the domains are fully trusted you can lookup passwords for users in the other domain as well.
This topic is too complex, with too many parameters to discuss in a forum. It would be needed to better understand what you try to achieve, authentication methods, policies, network/AD topology, to come to a full design. Working with someone who does understand AD may help, as it may just work, but if you deploy something that is insecure based of that, it's not in anyone's benefit either.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 12, 2023 04:53 AM
From: Owais101
Subject: AD join with proper username@domain path
Dear Experts,
I am not an AD expert so please bear with me. One of my customer is trying to join CPPM (6.10) to AD. They want to do it via using username@domain path coz according to them their domain controller is supporting multiple domains and he has the admin account of domain1 only. So he needs to enter something like username@domain1.pk. This is how they integrated their Cisco CUCM with their AD also.
Any idea if its possible?