Hello i would like to know if with the onboarding system and with the CA that the clearpass has he can onboard a machine and user certificate but for MAC and ipads so i can make rules on the policy manager that it needs user certificate and machine certificate to valide both to get in the network
Right now they are just authenticating with user certificates in the internal network for windows with a CA of windows with no issues
They want now to do machine and user authentication for windows which i think i can do
but for MACs they want to do it automatically, so we though in the onboard but can the mac do machine and user authentication with certifiates? also can the onboard give them both certificates with the Clearpass CA?
The other issue im thinking i will have with the MACS and ipads are that if i use the internal CA of the Clearpass how i will send them to the correct VLAN depending of their user that is created on the AD. I will have to somehow
I dont know if this option would be the best for that situation?
You should use an MDM to enroll the Apple devices and have that MDM push device certificates to the enrolled Apple devices.
What is the use-case for OnBoard at all? Why allow unmanaged/unprotected machines to join the internal network? Could your use-case be solved with a guest flow instead?
Doing BYOD with Apple devices successfully and with any measure of scale requires an MDM.
Ahollifield, we can put another SSID and sent it to a vlan that is restricted, but they already have soo many SSIDs, we are trying to reduce like 10 SSID to 3 or 2
So there is no way to do this:
Give the apple devices a certificate so they can log in, in the internal network? its a requirement the client wants, and they would like to use if its possible some of their onboard licences for that so they do not have to configure them manually
My question to this would be
Can we work with the internal CA of Clearpass for this
If we work with the internal CA for the certificate. Can we still manage in telling that if a user if in X group of AD sent it to X vlan?
But the only thing i want is for the certificate and put it on the correct vlan depending on the AD group
I ll not use the onboard for anything else
If i just use it for that, it would be ok?
I think those Vlans has restricted internal access
I can tell the client that those are not trusted devices, but im pretty sure they will still want to proceed
The idea is if the clearpass can have the internal CA of the clearpass? and if we can depending in which AD group the user is he send it to a vlan
Now how does the clearpass match that part ? i mean that he is using a internal cert that the internal clearpass is using to give him access
Somehow it has to read that the user of the AD X belongs to group Y to send it to vlan A
Here the users are not using certificates of the Microsoft CA so how does it match it?
im just a liltle confused on that part
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.