Security

Reply

Onboard Deployment Options

Hi community,

 

In ClearPass we have two options for Onboarding:

 

  • Single-SSID Onboarding: user connects their personal devices to the secure 802.1X SSID to do the onboarding, then connect back to the same SSID after onboarding.
  • Dual-SSID Onboarding: user connects their personal device to some provisioning SSID, typically an open SSID like a guest SSID. Next, they go through the onboarding process, and after onboarding, connect to the secure SSID using EAP-TLS.

We are going to use Onboard in my customer and we are interested on the single-SSID onboarding option, but I don't know if it will be possible for some reason. I mean, what do I have to consider to see if single-SSID is possible or otherwise I need to use dual-SSID?

 

Many thanks,

Julián

Guru Elite

Re: Onboard Deployment Options

Only dual SSID onboarding should ever be used. Using single puts users’ credentials at risk during the Onboard process.

Simply put a link on the bottom of your guest portal.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: Onboard Deployment Options

Hi Tim,

 

Why single-SSID puts users’ credentials at risk during the Onboard process? In my customer people which is going to onboard the devices are corporate users.

 

Regards,

Julián

Guru Elite

Re: Onboard Deployment Options

You’re using legacy, known vulnerable protocols to initially connect. This should never be done.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: Onboard Deployment Options

Ah ok, I understand. Taking into account that, is there anything else which restricts the single-SSID option for onboarding?

 

Regards,

Julián

Guru Elite

Re: Onboard Deployment Options

Nothing else can be taken into account since you should never use single. Please, don’t do it.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: