I can tell the client that those are not trusted devices, but im pretty sure they will still want to proceed
The idea is if the clearpass can have the internal CA of the clearpass? and if we can depending in which AD group the user is he send it to a vlan
Now how does the clearpass match that part ? i mean that he is using a internal cert that the internal clearpass is using to give him access
Somehow it has to read that the user of the AD X belongs to group Y to send it to vlan A
Here the users are not using certificates of the Microsoft CA so how does it match it?
Original Message:
Sent: Nov 16, 2023 01:39 PM
From: ahollifield
Subject: onboard mac user and machine certificate
It would be but it can be very hard to manage. What is the use-case for allowing unmanaged mobile devices onto the protected network? How do you know that device isn't jailbroken or has untrusted applications installed on it? This is one of the other reasons to ALWAYS use an MDM.
Original Message:
Sent: 11/16/2023 1:33:00 PM
From: cdelarosa
Subject: RE: onboard mac user and machine certificate
But the only thing i want is for the certificate and put it on the correct vlan depending on the AD group
thats all
I ll not use the onboard for anything else
If i just use it for that, it would be ok?
Original Message:
Sent: Nov 16, 2023 01:27 PM
From: ahollifield
Subject: onboard mac user and machine certificate
No, use an MDM. You can use OnBoard for this but BYOD from any NAC vendor is a never ending mess of device OS updates, patching NAC product, Google Play Store URLs, etc etc The only way to do this reliably at scale is to use an MDM.
Original Message:
Sent: 11/16/2023 1:17:00 PM
From: cdelarosa
Subject: RE: onboard mac user and machine certificate
Ahollifield, we can put another SSID and sent it to a vlan that is restricted, but they already have soo many SSIDs, we are trying to reduce like 10 SSID to 3 or 2
So there is no way to do this:
Give the apple devices a certificate so they can log in, in the internal network? its a requirement the client wants, and they would like to use if its possible some of their onboard licences for that so they do not have to configure them manually
My question to this would be
Can we work with the internal CA of Clearpass for this
If we work with the internal CA for the certificate. Can we still manage in telling that if a user if in X group of AD sent it to X vlan?
Anyone?
Original Message:
Sent: Nov 03, 2023 08:05 AM
From: ahollifield
Subject: onboard mac user and machine certificate
What is the use-case for OnBoard at all? Why allow unmanaged/unprotected machines to join the internal network? Could your use-case be solved with a guest flow instead?
Doing BYOD with Apple devices successfully and with any measure of scale requires an MDM.
Original Message:
Sent: Nov 02, 2023 03:03 PM
From: cdelarosa
Subject: onboard mac user and machine certificate
Hello i would like to know if with the onboarding system and with the CA that the clearpass has he can onboard a machine and user certificate but for MAC and ipads so i can make rules on the policy manager that it needs user certificate and machine certificate to valide both to get in the network
Right now they are just authenticating with user certificates in the internal network for windows with a CA of windows with no issues
They want now to do machine and user authentication for windows which i think i can do
but for MACs they want to do it automatically, so we though in the onboard but can the mac do machine and user authentication with certifiates? also can the onboard give them both certificates with the Clearpass CA?