Occasional Contributor I

OnBoard device identity check



This is probably a silly question, but is there a secuirty risk with OnBoard where a malicious user can extract a client certificate from an already provisioned device and upload it into their device to gain access? If so what is the best way to guard against this?


Thank you



Re: OnBoard device identity check



In the default EAP-TLS authentication method the "Authorization Required" setting is enabled. This means that the client must also pass user credentials to successfully authenticate.

tls aith auth.jpg




ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Guru Elite

Re: OnBoard device identity check

Onboard certificates are marked as non-exportable so it would be very
difficult to export the certificate.

You can layer on profiling conflict checks as well as potentially do a MAC
check against the MAC address embedded in the cert. Remember that the
certificate takes the place of only the password. You should leverage the
authorization phase to look at other information about the device and user.

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: