Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

onboard mac user and machine certificate

This thread has been viewed 16 times
  • 1.  onboard mac user and machine certificate

    Posted Nov 02, 2023 03:04 PM

    Hello i would like to know if with the onboarding system and with the CA that the clearpass has he can onboard a machine and user certificate but for MAC and ipads so i can make rules on the policy manager that it needs user certificate and machine certificate to valide both to get in the network

    Right now they are just authenticating with user certificates in the internal network for windows with a CA of windows with no issues

    They want now to do machine and user authentication  for windows which i think i can do 


    but for MACs they want to do it automatically, so we though in the onboard but can the mac do machine and user authentication with certifiates? also can the onboard give them both certificates with the Clearpass CA? 



  • 2.  RE: onboard mac user and machine certificate

    Posted Nov 02, 2023 04:11 PM

    The other issue im thinking i will have with the MACS and ipads are that if i use the internal CA of the Clearpass how i will send them to the correct VLAN depending of their user that is created on the AD.  I will have to somehow 

    I dont know if this option would be the best for that situation?

    Any ideas?




  • 3.  RE: onboard mac user and machine certificate

    Posted Nov 03, 2023 08:06 AM

    You should use an MDM to enroll the Apple devices and have that MDM push device certificates to the enrolled Apple devices.




  • 4.  RE: onboard mac user and machine certificate

    Posted Nov 03, 2023 08:05 AM

    What is the use-case for OnBoard at all?  Why allow unmanaged/unprotected machines to join the internal network?  Could your use-case be solved with a guest flow instead?

    Doing BYOD with Apple devices successfully and with any measure of scale requires an MDM.  




  • 5.  RE: onboard mac user and machine certificate

    Posted Nov 16, 2023 01:17 PM

    Ahollifield, we can put another SSID and sent it to a vlan that is restricted, but they already have soo many SSIDs, we are trying to reduce like 10 SSID to 3 or 2  

    So there is no way to do this:

    Give the apple devices a certificate so they can log in, in the internal network? its a requirement the client wants, and they would like to use if its possible some of their  onboard licences for that so they do not have to configure them manually

    My question to this would be

    Can we work with the internal CA of Clearpass for this

    If we work with the internal CA for the certificate.  Can we still manage in telling that if a user if in X group of AD  sent it to X vlan?  

    Anyone?




  • 6.  RE: onboard mac user and machine certificate

    Posted Nov 16, 2023 01:27 PM
    No, use an MDM.  You can use OnBoard for this but BYOD from any NAC vendor is a never ending mess of device OS updates, patching NAC product, Google Play Store URLs, etc etc  The only way to do this reliably at scale is to use an MDM.





  • 7.  RE: onboard mac user and machine certificate

    Posted Nov 16, 2023 01:33 PM

    But the only thing i want is for the certificate and put it on the correct vlan depending on the AD group 

    thats all

    I ll not use the onboard for anything else

    If i just use it for that, it would be ok?




  • 8.  RE: onboard mac user and machine certificate

    Posted Nov 16, 2023 01:40 PM
    It would be but it can be very hard to manage.  What is the use-case for allowing unmanaged mobile devices onto the protected network?  How do you know that device isn't jailbroken or has untrusted applications installed on it?  This is one of the other reasons to ALWAYS use an MDM.  






  • 9.  RE: onboard mac user and machine certificate

    Posted Nov 16, 2023 02:19 PM

    I think those Vlans has restricted internal access

    I can tell the client that those are not trusted devices, but im pretty sure they will still want to proceed 

    The idea is if the clearpass can have the internal CA of the  clearpass? and if we can depending in which AD group the user is he send it to a vlan 

    Now how does the clearpass match that part ? i mean that he is using a internal cert that the internal clearpass is using to give him access 

    Somehow it has to read that the user of the AD X belongs to group Y to send it to vlan A 

    Here the users are not using certificates of the Microsoft CA so how does it match it? 

    im just a liltle confused on that part