Security

Hi community,

 

In ClearPass we have two options for Onboarding:

 

• Single-SSID Onboarding: user connects their personal devices to the secure 802.1X SSID to do the onboarding, then connect back to the same SSID after onboarding.
• Dual-SSID Onboarding: user connects their personal device to some provisioning SSID, typically an open SSID like a guest SSID. Next, they go through the onboarding process, and after onboarding, connect to the secure SSID using EAP-TLS.

We are going to use Onboard in my customer and we are interested on the single-SSID onboarding option, but I don't know if it will be possible for some reason. I mean, what do I have to consider to see if single-SSID is possible or otherwise I need to use dual-SSID?

 

Many thanks,

Julián

Only dual SSID onboarding should ever be used. Using single puts users’ credentials at risk during the Onboard process.

Simply put a link on the bottom of your guest portal.

Hi Tim,

 

Why single-SSID puts users’ credentials at risk during the Onboard process? In my customer people which is going to onboard the devices are corporate users.

 

Regards,

Julián

You’re using legacy, known vulnerable protocols to initially connect. This should never be done.

Ah ok, I understand. Taking into account that, is there anything else which restricts the single-SSID option for onboarding?

 

Regards,

Julián

Nothing else can be taken into account since you should never use single. Please, don’t do it.