Security

Hi Community!

Maybe just a dumb question but I need some clarification on it but also opinion from those who were in same situation. :-)

Why is ClearPass OnBorad better when it comes to managing device certificate compared to managing certificates through Mobile Iron or Google Admin Console?

We are thinking about authenticating iPads and Chromebook using EAP-TLS through AD but we need to know benefits of investing in OnBorad licenses (which are quite expensive) when we (maybe) can do the same thing with Mobile Iron and Google Admin Console certificates.

So, a simple question - why should we choose ClearPass OnBoard?

We have about 6000 iPads and Chromebooks and those are corporate devices not BYOD.

Thanks!

Onboard itself is the certificate authority functionanlity of CPPM.

Onboard Assisted Provisioning is designed for unmanaged devices to provide a wizard like enrollment process for getting a certificate and network profile on the device. Managed devices should automatically enroll as part of the management platform. The cert can come from an existing PKI or can be configured to issue from CPPM.

Onboard as a whole is licensed by user. So any user with an active certificate issued via CPPM (regardless of enrollment method), consumes an Onboard license. A user can have multiple certificates (devices) and it will only consume 1 license.

Hi Tim,

Thanks for your reply but unfortunately I'm not sure that was an answer to my question. :-)

How should we persue IT-managers to invest in OnBoard if it takes one Onboard (user) licens and then one Access licens after successfull login via EAP-TLS to production Wifi? We need to pay for two licenses, or?

If devices/users get theris certs from MDM (connected to AD) then we need to pay only for Access licens in CPPM because we can already authenticate them via AD.

Just to make myself clear :-) - I want to use Onboard but I cannot find a way to motivate Onboard licens costs. That's why I need all facts about why should we invest in something which acctually costs more (if I'm not wrong of course).

This sholud be a very simple question for HPE/Aruba to answer on if Onboard has something that is cruical for certificate management that MDSs don't have..

Appriciate all inputs from community and I would like to know how current Aruba customer here in community have handled this with iPads and Chrombooks.

Thanks again.

To elaborate on your question a bit:

- Active Directory performs (some) device management features for Windows devices, which can include the configuration of your wired and wireless to connect securely to the corporate network, and if you add the Microsoft AD Certificate Services (PKI) you can even enroll client certificates to your clients that can be used for EAP-TLS.

- MDM/EMM is a third party product that does similar things for non-Windows devices (and some for Windows devices as well), and many times it includes software/app management as well. Depending on the exact product, you can configure the wired/wireless authentication and install certificates for EAP-TLS authentication.

- If you don't want to take control over the end-user device, like in the case of BYOD, personal devices, or other situations, Onboard can be used to enroll the client devices for network access with a certificate.

The benefit of using AD/MDM/EMM on managed devices is that once the device is under management, the configuration and certificates can be pushed without any user interaction.

If you have a management tool that does not come with an integrated Certificate Authority to issue client certificates, you CAN use ClearPass Onboard to generate the certificate in which case you will need to have Onboard licenses. If your management pulls the certificates from its own CA, there is no need to use Onboard, just integrate with the existing CA to do TLS authentication which only takes Access Licenses.

I don't see how you would motivate Onboard if you have a managed environment, as Onboard is designed for unmanaged devices.

Hi Herman,

Well, everything seems to be much easier now after your explanation. 

Now I know exact how to proceed further here. :-)

Thanks!

If you're already issuing certs from another source, then Onboard is not needed. It's not designed to replace another certificate issuance method or another PKI.