Security

Reply
Contributor I

OnBoard issued certificates vs Mobile Iron and Google Admin Console certificates

Hi Community!

 

Maybe just a dumb question but I need some clarification on it but also opinion from those who were in same situation. :-)

 

Why is ClearPass OnBorad better when it comes to managing device certificate compared to managing certificates through Mobile Iron or Google Admin Console?

 

We are thinking about authenticating iPads and Chromebook using EAP-TLS through AD but we need to know benefits of investing in OnBorad licenses (which are quite expensive) when we (maybe) can do the same thing with Mobile Iron and Google Admin Console certificates.

 

So, a simple question - why should we choose ClearPass OnBoard?

 

We have about 6000 iPads and Chromebooks and those are corporate devices not BYOD.

 

Thanks!

Guru Elite

Re: OnBoard issued certificates vs Mobile Iron and Google Admin Console certificates

Onboard itself is the certificate authority functionanlity of CPPM.

 

Onboard Assisted Provisioning is designed for unmanaged devices to provide a wizard like enrollment process for getting a certificate and network profile on the device. Managed devices should automatically enroll as part of the management platform. The cert can come from an existing PKI or can be configured to issue from CPPM.

 

Onboard as a whole is licensed by user. So any user with an active certificate issued via CPPM (regardless of enrollment method), consumes an Onboard license. A user can have multiple certificates (devices) and it will only consume 1 license.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: OnBoard issued certificates vs Mobile Iron and Google Admin Console certificates

Hi Tim,

 

Thanks for your reply but unfortunately I'm not sure that was an answer to my question. :-)

 

How should we persue IT-managers to invest in OnBoard if it takes one Onboard (user) licens and then one Access licens after successfull login via EAP-TLS to production Wifi? We need to pay for two licenses, or?

 

If devices/users get theris certs from MDM (connected to AD) then we need to pay only for Access licens in CPPM because we can already authenticate them via AD.

 

Just to make myself clear :-) - I want to use Onboard but I cannot find a way to motivate Onboard licens costs. That's why I need all facts about why should we invest in something which acctually costs more (if I'm not wrong of course).

 

This sholud be a very simple question for HPE/Aruba to answer on if Onboard has something that is cruical for certificate management that MDSs don't have..

 

Appriciate all inputs from community and I would like to know how current Aruba customer here in community have handled this with iPads and Chrombooks.

 

Thanks again.

 

 

Highlighted
MVP Guru

Re: OnBoard issued certificates vs Mobile Iron and Google Admin Console certificates

To elaborate on your question a bit:

- Active Directory performs (some) device management features for Windows devices, which can include the configuration of your wired and wireless to connect securely to the corporate network, and if you add the Microsoft AD Certificate Services (PKI) you can even enroll client certificates to your clients that can be used for EAP-TLS.

- MDM/EMM is a third party product that does similar things for non-Windows devices (and some for Windows devices as well), and many times it includes software/app management as well. Depending on the exact product, you can configure the wired/wireless authentication and install certificates for EAP-TLS authentication.

- If you don't want to take control over the end-user device, like in the case of BYOD, personal devices, or other situations, Onboard can be used to enroll the client devices for network access with a certificate.

 

The benefit of using AD/MDM/EMM on managed devices is that once the device is under management, the configuration and certificates can be pushed without any user interaction.

 

If you have a management tool that does not come with an integrated Certificate Authority to issue client certificates, you CAN use ClearPass Onboard to generate the certificate in which case you will need to have Onboard licenses. If your management pulls the certificates from its own CA, there is no need to use Onboard, just integrate with the existing CA to do TLS authentication which only takes Access Licenses.

 

I don't see how you would motivate Onboard if you have a managed environment, as Onboard is designed for unmanaged devices.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Guru Elite

Re: OnBoard issued certificates vs Mobile Iron and Google Admin Console certificates

If you're already issuing certs from another source, then Onboard is not needed. It's not designed to replace another certificate issuance method or another PKI.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: OnBoard issued certificates vs Mobile Iron and Google Admin Console certificates

Hi Herman,

 

Well, everything seems to be much easier now after your explanation. 

Now I know exact how to proceed further here. :-)

 

Thanks!

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: