How to configure Onboard client certificate expiry notification
How to configure Onboard client expiry notification.
When the Onboard client certificate is about to expire, by configuring expiry notification Clearpass can notify the end users to re-provision their Onboarded device.
With this, users can have uninterrupted network access without helpdesk/administrator intervention.
To configure expiry notification, Login to ClearPass Guest as a Super Administrator and navigate to Onboard » Deployment and Provisioning » Provisioning Settings. Edit the configured provisioning settings and navigate to General tab --> Actions and enable Certificate Expiry.
After enabling certificate expiry,
1. We need to choose the expiry notification time. The default is 4 weeks before the client certificate expiration.
2. If the user certificate has email address attribute, then an email will be sent to that address. Incase, if the user certificate does not have email address attribute, then we can either:
a. Configure ClearPass to send email to a fixed an email address or
b. Configure username@domain format, if that forms a valid email-address within the domain.
c. Configure ClearPass to not send any message by choosing 'Do not send any message'.
Example screenshot shows that Clearpass is configured to send email notification exactly 4 weeks prior to the certificate expiration to email@example.com, where username is the Onboard client certificate CN.
If you would like to add email address attribute to client certificate, please refer the following article:
With the above configuration, the end user will receive an email as shown below:
When the user clicks on re-provision your device hyperlink, they will be taken to provisioning page to complete their device re-provisioning process.
1. Inorder for ClearPass to send an email message, an SMTP server should be configured. To configure an SMTP server, Login to ClearPass Policy Manager --> Administration » External Servers » Messaging Setup.
2. ClearPass will send expiry notification at around 3:00 AM while doing its nightly maintenance.