New Contributor

Need advise with Onboarding BYOD & Corporate Managed Mobile devices


I have a new Aruba CPPM that is not yet in production and need advise on a deployment strategy.


I currently have the OnBoard process working properly using EAP-TLS device certificates (using the clearpass as the CA). Any device that has been enrolled and connects to our "onboarded" SSID is getting placed on our guest network by default for internet only access. However, I would like the ability to perform a COA on certain devices and place them on a network with more privileges. I don't want to do this on a Per-user basses because a user might have a personal iphone that gets placed on our guest network but a corporate owned ipad that gets placed on our inside network. Is there a good way to do this using the Onboard process? Or. will we have to do some kind of manual TLS certificates/manual profile install that has some attribute that we can filter for in CPPM?


Any suggestions or ideas you have would be great!

Guru Elite

Re: Need advise with Onboarding BYOD

We need more information.

How are the corporate devices managed?
Are byod devices enrolled in an MDM?
Do you have a corporate asset database?

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Need advise with Onboarding BYOD

We don't have any MDM management on these devices or a corporate asset database. The company has bought a lot of these devices but has failed to do any kind of planning on how they were going to manage them. The best we have is "good messaging" but I don't think any of its MDM features have been turned on. I know that a lot of the personal decides have good messaging installed as well. What I don't know for sure is if the good messaging admins keep track of the Device ownership. I'll have to check.
Super Contributor I

Re: Need advise with Onboarding BYOD

Hi parentch,


Another thing you could do is to create a couple of different OnBoard profiles with an additional Clearpass CA. You could have all BYOD devices go to the "standard" OnBoard page / process. You could send the URL of another OnBoard page / process to clients that require elevated priviliges. It would work something like the following:


1. A normal OnBoard device will connect with EAP-TLS

2. Based on the standard CA, it will be given the current BYOD role

3. A special BYOD device will connect with EAP-TLS

4. Based on the special CA, it will be given an elevated role


You could further lock down the above to only allow a certain LDAP Group access to go through the process of the special OnBoarding page.


Just a thought off the top of my head.



Search Airheads
Showing results for 
Search instead for 
Did you mean: