Security

We currently onboard all of our machines, both BYOD and corporate....as we lack a CA...and Clearpass was viewed as a cost effective solution for us.

As currently configured, we push user certs to machines.   This hasn't been a huge problem yet...as most corporate machines aren't domain joined.    We're starting to expand into a region where computers are domain joined and require a login script.

I'm fairly confident that changing the onboarding provisioning to push machine and user certs will help with this.

Are there any downsides to this?   I don't want to flip that switch only to find a few weeks later that I've onboarded hundreds of machines and then have someone tell me "oh....doing that breaks XYZ...you dummy".

- When you use onboard, keep the lifetime of the certificates in mind.  If your certificates have a short expiration, you are going to be doing this all over again sooner than you intended and cause disruptions as a result.  Have the certificates take as long to expire as your security policy will allow to avoid this issue

- If they are domain machines, take the time to set up your own CA that is active directory integrated and start issuing EAP-TLS certificates using "autoenrollment" via active directory.  Active Directory has the advantage, where it will automatically renew eap-tls certificates.  It is easier to deploy than onboarding, since certificate distribution is transparent and automatic.  Onboarding is mainly for non-domain, unmanaged devices that you want to distribute individual credentials to.

- If they are domain machines and you distribute certificates via active directory, only distribute machine certificates and setup your WLAN settings on domain machines to only use machine credentials (that certificate) to authenticate to the WLAN.  Why? Because if you distribute machine and user certificates to a machine, machines that a user has never logged into, they will have no connectivity, because they do not have a user certificate in their profile.  You can sidestep the chicken and the egg by only deploying machine certificates.

- EAP-PEAP is much easier to deploy on domain machines than EAP-TLS, so you should probably try that first:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

Thanks for the reply Colin.

Unfortunately....I think we're stuck with onboarding.   A few factors....

1...our enterprise has a significant # of non-domain joined devices

2...even if we had a majority of domain joined devices, our enterprise could not find a workable process to distribute certificates.   The registration and use requirements were too hard and would make them unusable.

3...security pushed strongly for EAP-TLS over EAP-PEAP....as they felt a certificate authority was coming too...but it turned out to only be machine certs...and very delayed.

We do have a refresh of a clients coming soon (12-18 months) and will most likely fix our domain joined problem.   I will probably see if we can get the new domain to SCEP requests over to Clearpass...as we don't mind paying Aruba for the certs.  Either that...or see if I can get them to relax on the EAP-TLS and to EAP-PEAP and do machine auth based on domain membership.

My real problem is fostering non-cached logins and login scripts for those who have played nicely and have  machines that are domain joined.   This is a new region for our global deployment...the first region with a large % of domain joined....so we didn't catch that in our initial roll-out and thus need to make a change to our production system for subsequent onboards.

I have a process to captive portal those that are expiring in a few weeks forcing them to reprovision and then starting emailing them in the last week telling them to delete profiles so they can re-onboard at a later date if they need to.

1.  Onboard is designed for non-domain machines, and that is what you should stick with

2.  Distributing EAP-TLS certificates via group policy to domain computers is literally a zero-touch process.  The domain will even automatically renew certificates when they are expired with no user intervention.  There is no easier way to distribute certificates.

3.  If you configure group policy to do certificate distribution, you will not need to do scep or configure clearpass to distribute certificates on behalf of your domain; it would happen automatically.  ClearPass can then authenticate EAP-TLS certs that have been distributed with your domain and with ClearPass at the same time.  Don't get me wrong, there is nothing wrong with onboarding for non-domain machines.  For domain machines, certificate distribution and renewal does not require any user interaction and scales much easier than onboard.

For non-cached logins on domain machines, you could just distribute machine certificates via active directory and configure the WLAN to authenticate the machine only.  That would eliminate the issue of the user needing an EAP-TLS certificate before login.  The most secure networks use machine-only certificates and authentication to get the laptop on the network, but the user will still have to securely authenticate into the laptop via the domain.  Even new users would get a login script on a machine that is secured via a machine certificate and user credentials.

Non-domain machines will never get a login script....