Security

Hi All,

I have some queries regarding Onboarding for which i need some help.

1. If i am authenticating the clients using 802.1x either from AD or from clearpass internel repositry, then why i need onboarding. As i see we are puting extra burden on the User to download the certificate after re-authentication. OR i can say this is an extra layer of security. Is it right?

2. What will be happened if the user reset his device and again he want to connect. The same procedure he will follow for onboarding or no need becasue he onboard hi device before.

3. What is the big advantage of onboarding the device.

Hi Waseem,

If you onboard the deivce, users dont need to enter credentails everytime (only during boarding the device it prompts to enter credentials). It uses EAP-TLS protocol and use server and client certificates to authenticate.

It is very secure way of connecting the deivces to network. During Onboarding, ClearPass push the device enrollement profile to all your devices which contain complete network information.

User will able to connect to the network until the certificate is valid.

Follow below article to Onboard device

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/SIngle-SSID-Onboard-using-Aruba-Controller/ta-p/192371

http://community.arubanetworks.com/t5/tkb/articleprintpage/tkb-id/AAANACGuestAccessBYOD/article-id/296

Regards,

Pavan

If user reset his device, then he need to go through onboarding process again, since reset will remove onboard profile information

Good points mentioned already so i'll just add a few things..

1. Security.

a) AD username/password isn't stored locally on the device...

b) IT-dept often has to avoid locking an account due to wrong password since users often ignore the "enter passord" on their mobile devices, thus locking their accounts. With Certificates the normal security process can be kept.

c) Enforce certificate auth for devices that need that extra level of access. We see that tablets and bigger mobile devices require more access - with Onboard you can enforce some more device security (like pincode) for this.

It is for sure a burden on the user, but it's really not a big deal. We have customers who have lots of IT-ignorant users still being able to go through onboarding process. Just involve some users in your user-testing/documentation to ensure that you do it in a way your company can handle. When "beta"-testing - adjust the default expiration and alerts to something low enough so they get the expiration warning and see how that goes.

2. The profile and certificate is stored locally on the device. After a wipe the user have to go through the Onboarding process. Make sure your process is water-tight ;) 

3. Look at nr 1. If you don't have a problem with user/password security, IT-dept getting clogged with password problems each month and such then Onboard might not be for you.

Legacy authentication methods like PEAPv0/EAP-MSCHAPv2 and EAP-TTLS have serious security implications when clients are not pre-configured for the network. In a BYOD environment, this is nearly every device.

EAP-TLS is the only recommended secure authentication method. ClearPass Onboard provides the user friendly workflow to issue the device a certificate and provides lifecycle management and role based access controls.

Thanks Tim Cappalli, John Solberg and Pavan,

Your replys were very helpful and i understand well. Simply i can say it is like we are pushing profile in iOS device for EAP-SIM and whenever we enter to the coverage zone we connect automatically.