Security

Hi Experts,

May I seek for your expert opinion for the below ClearPass feature? Do I require OnGuard license to achieve that? This is for wireless onboarding process.

The 1st part is: which I call it as pre-logon process, Aruba WiFi will check the client laptop already joined Microsoft AD domain or not. If it is yes, allow it to access Domain Controller. If not, disconnect it.

The 2nd part is: when user login Windows with his AD account, Aruba WiFi will also verify it with Domain Controller the login credential is correct or not. If it is correct, will give full network access to the client. If not, keeps only allow access to Domain Controller.

Onguard will do endpoint posture checking, like if anti-virus/firewall/patches are installed, running and up-to-date. For the functionality mentioned, I don't see such features used, so I don't think you will need OnGuard in this scenario.

Thanks Herman, however based on my scenario on 1st part do you have any idea if clearpass can achieve that with the defined policy before login to window.

Sure, that is a configuration of the Windows Supplicant. Under Advanced settings you can select the 'authentication mode':

Computer Authentication: always use the computer account, this works before and after logon.

User or Computer: use computer authentication pre-logon and switch to user authentication after logong

User Authentication: only authenticate after the logon.

These settings can be controlled via group policies in larger networks.

Thanks. You provide a very good hints to me.