View Only
last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Onboarding authentication

This thread has been viewed 48 times
  • 1.  Onboarding authentication

    Posted May 24, 2023 02:30 AM


    I have a question about the OnBoarding feature in Clearpass. We are trying to implement OnBoarding for the byod on our network. I know that there are multiple options out to implement the feature, for example by using a single SSID or dual SSID. I got some feedback already that using dual SSID is better then using a single SSID because there can be problems with the network profile configuration when using a single SSID.

    My question is the following;
    When does the authentication happen in the OnBoarding workflow? Is it only when the user needs to fil in the user credentials on the provisioning page? Or does the user also has to put in his or her credentials in the 'quickconnect' app after installing it? I am asking this because I want to know if it is possible to skip the part of sending users to the provisioning page. I want to send a email to al of the users to inform them about the app and that is the reason why I need to know if the users need to authenticate on the app as well. 

    And is this even possible? Or do the users need to go to the provisioning page in order to onboard their device?
    And is it save to let them login on the webpage using their credentials on a 'open' guest SSID for onboarding?

    Kind regards,


  • 2.  RE: Onboarding authentication

    Posted May 24, 2023 10:37 AM

    How would you provision the device if they skip the OnBoarding page?  This piece is required for BYOD AFAIK.  Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution.

  • 3.  RE: Onboarding authentication

    Posted May 25, 2023 07:31 AM

    Well I thought that you maybe able to send the application "quickconnect app" to the user (for example using email) and let them download it. But then, after I published this topic, I realised that the user needs to be connected to the network in order to get provisioned.

    But then my question is, is it secure to let the users login using their AD credentials on the 'open' guest network in order to start the device provisioning?

    "Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution."

    We are using Intune to enroll domain devices for the employees. But can you also add BYOD to intune? We only need it to push a unique certificate to the device in order to connect to the corp network, that's why we where looking for OnBoarding.

  • 4.  RE: Onboarding authentication

    Posted May 25, 2023 07:41 AM

    Yes, as long as your OnBoarding page is using HTTPS those credentials are fully encrypted with HTTPS.

    I wouldn't use ClearPass OnBoard at all then.  Integrate InTune with ClearPass for endpoint data and use InTune to push the certificate and SSID settings.  No dealing with certificate trust issues, no apps to download, no captive portal, etc.

  • 5.  RE: Onboarding authentication

    Posted May 25, 2023 07:46 AM

    Thanks for the quick response Ahollifield,

    So for my understanding, I can integrate Intune with the byod from employees in a company and push a unique certificate using Intune?

  • 6.  RE: Onboarding authentication

    Posted May 25, 2023 07:52 AM

    Yes.  InTune has the ability to push certificate's from a CA to managed devices.  You can use these certificates to authenticate to ClearPass.  You can then also use the InTune extension in ClearPass to get more endpoint attributes from InTune to do further granular enforcement.

  • 7.  RE: Onboarding authentication

    Posted May 25, 2023 07:58 AM


    Maybe one more stupid question. How can we add 'unmanaged' devices such as byod to Intune, is there an application out there that needs to be installed on the employee's personal devices or how does this work?

  • 8.  RE: Onboarding authentication

    Posted May 25, 2023 08:05 AM

    No such thing as a stupid question :) But no this isn't possible.  The device must be enrolled and managed by InTune.  What is the use-case for allowing employee personal, unknown, unmanaged devices on the network in the first place though?  Why not just use a guest portal flow rather than OnBoard?

  • 9.  RE: Onboarding authentication

    Posted May 25, 2023 08:19 AM

    We currently have three different SSID's active for clients to connect to;
    Guest SSID – internet access for guests
    BYOD SSID – basically the same as the guest SSID but for unmanaged BYOD from employees with only internet access
    Corp SSID – This is the SSID where the domain / managed device will connect to.

    We want to redesign our network by reducing the SSID's back to two instead of three. We came across two options;
    1. Guest and BYOD SSID together where guests have a re-auth time of 4 hours and employees have 8 hours and the bandwidth is a little higher for employees
    2. BYOD and Corp SSID together with OnBoarding to have BYOD on the corp SSID with certificates (But still internet only for BYOD)

    And I thought that the first options is a little unsecure because we need to let employees connect with their AD credentials on the guest network in order to let Clearpass know that it is an employee instead of a guest to give a longer re-auth time etc.

  • 10.  RE: Onboarding authentication

    Posted May 25, 2023 08:37 AM

    In this design you should have Corp and Guest only.  Why treat employee personal devices any different than guests if they both just get basic internet.  If the user logs in with a guest account they get 4 hours or whatever their guest username lifetime is.  If a user logins in with AD crenditals then you can cache the mac for 8 hours, 8 days, whatever you like. Using AD credentials to login into the guest portal is fully supported and fully secure (HTTPS).  There isn't a security risk doing this.  Entering AD credentials directly into a unmanaged client supplicant config for PEAP/MS-CHAPv2 is less secure (MS-CHAPv2 is broken, see MS credential guard) than entering them into a TLS protected HTTPS session.

    Speaking from a wireless/RF standpoint is also not typically best practice to bandwidth limit clients.  If the client is throttled (meaning their packets are dropped) this leads to a very poor user experience and causes the applications running on that client to retransmit their traffic which can potentially lead to more traffic on the wireless network.

  • 11.  RE: Onboarding authentication

    Posted May 25, 2023 08:46 AM

    So your answer would be to put byod over the guest SSID without having diffirent re-auth times for the user groups?

  • 12.  RE: Onboarding authentication
    Best Answer

    Posted May 25, 2023 08:57 AM

    No, have both guest and employee devices on the same Open (with OWE enabled!) SSID directed to the ClearPass guest portal.  If the user logs in with a Guest account, enforce with a 4 hour re-auth.  If the user logs with an AD account then enforce with an 8 hour re-auth.

  • 13.  RE: Onboarding authentication

    Posted May 25, 2023 09:27 AM

    One last question. Is this also possible of the guest only needs to authenticate by accepting the terms and conditions? (And the employee with AD credentials?)

  • 14.  RE: Onboarding authentication

    Posted May 25, 2023 09:34 AM

    You should be able to customize the page with both a login box and a "click here to accept" box.  But what keeps employees from just clicking the accept and not actually logging in?  If just accepting terms and conditions is good enough why not just do that for all uses with an 8 hour time limit for all?