Cloud Managed Networks

Hello,

We recently and successfully completed a lab to test the feasibility of Aruba Central Cloud wireless Auth WPA3-Enterprise paired with MS AD Identity store and it all worked per Aruba's documentation.  We have a few questions that we can't easily find answers to online.

1. We were not happy with the client onboarding options using either Aruba Onboard app or the web URL onboard option.  Our organization does not grant users with local admin rights so pushing the Onboard app or passpoint.ppkg file silently from the backend via InTune, JAMF, MS SCCM, etc. all ran into issues requiring local admin credentials or required the user to click through steps.  We were hoping to push everything silently from the back end.  One issue is that we could only push a machine cert vs user cert which did not work for SSID auth.
   ** Does anyone have a link to a discussion or documentation for how to silently add/manage clients to the WPA3 Enterprise SSIDs?
2. If we want to bypass Central Cloud Auth and ClearPass (we don't have ClearPass and may never have the budget for it), are there options for using our existing MS NPS / RADIUS / EAP / CA, etc. servers for Central managed SSID client auth?  I am not a MS Engineer, and think we're looking for 802.1x, but I am having a devil of a time locating how-to documentation.  So basically, we're looking to lab a different Central managed SSID's cloud auth, but MS managed (not Aruba's Onboard/passpoint.ppkg)

We appreciate any help or direction you can point us to.

thank you,

Travis

Central Cloud Auth is designed for onboarding of devices by end-users (self-service), for non-managed devices. If you have managed devices, you mention Intune, the logical path would be to use Intune/JAMF/AD Group Policies to enroll your clients with client certificates and then configure/run EAP-TLS. In that way for your managed clients everything is done in the background without any required user interaction.

It should be possible to configure NPS to perform EAP-TLS authentication, but I don't know how as I use ClearPass myself.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jun 14, 2023 04:34 PM
From: tbrow@WE
Subject: Central wireless cloud Auth options

Hello,

We recently and successfully completed a lab to test the feasibility of Aruba Central Cloud wireless Auth WPA3-Enterprise paired with MS AD Identity store and it all worked per Aruba's documentation.  We have a few questions that we can't easily find answers to online.

1. We were not happy with the client onboarding options using either Aruba Onboard app or the web URL onboard option.  Our organization does not grant users with local admin rights so pushing the Onboard app or passpoint.ppkg file silently from the backend via InTune, JAMF, MS SCCM, etc. all ran into issues requiring local admin credentials or required the user to click through steps.  We were hoping to push everything silently from the back end.  One issue is that we could only push a machine cert vs user cert which did not work for SSID auth.
   ** Does anyone have a link to a discussion or documentation for how to silently add/manage clients to the WPA3 Enterprise SSIDs?
2. If we want to bypass Central Cloud Auth and ClearPass (we don't have ClearPass and may never have the budget for it), are there options for using our existing MS NPS / RADIUS / EAP / CA, etc. servers for Central managed SSID client auth?  I am not a MS Engineer, and think we're looking for 802.1x, but I am having a devil of a time locating how-to documentation.  So basically, we're looking to lab a different Central managed SSID's cloud auth, but MS managed (not Aruba's Onboard/passpoint.ppkg)

We appreciate any help or direction you can point us to.

thank you,

Travis