Security

Reply
Highlighted
All-Decade MVP 2020

Onboard Use only the certificate for authentication

Hi,

I have configured the atuthenitcation for internal client with Active directory credential.

My customer have a policy to change user password every 3 month.

 

For window pc there isn't issue but for mobile device yes.

The mobile device store old credential and with their connection attempt couse the account lock.

So the idea is use a certificate for the authentication of device.

 

Can you help me to understand how i can do it?

With onboard? in this case the active directory credentrial are needed?

With an external CA?

 

Thanks in advance

Andrea

Accepted Solutions
Highlighted
MVP Expert

Re: Onboard Use only the certificate for authentication

You can use ClearPass Onboarding and CPPM will act as the CA to hand out unique cert to each client.

 

During the onboarding process each device will install the necessary certs to do EAP-TLS authentication .

 

This is the way you could have it :

- Use your existing 802.1X PEAP authentication / ClearPass service to redirect devices (SmartDevices) to do the onboarding process .

- Once the device has completed the onboarding process then it will reauth but this time will be using  EAP-TLS.

 

Here's the ASE solution for a single SSID:

https://ase.arubanetworks.com/solution/id/34

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

View solution in original post


All Replies
Highlighted
Moderator

Re: Onboard Use only the certificate for authentication

For mobile devices, you should look at using Onboard as it's the quickest, most user friendly way for end users. 


Thanks, 
Tim


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
MVP Expert

Re: Onboard Use only the certificate for authentication

You can use ClearPass Onboarding and CPPM will act as the CA to hand out unique cert to each client.

 

During the onboarding process each device will install the necessary certs to do EAP-TLS authentication .

 

This is the way you could have it :

- Use your existing 802.1X PEAP authentication / ClearPass service to redirect devices (SmartDevices) to do the onboarding process .

- Once the device has completed the onboarding process then it will reauth but this time will be using  EAP-TLS.

 

Here's the ASE solution for a single SSID:

https://ase.arubanetworks.com/solution/id/34

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

View solution in original post

Highlighted
All-Decade MVP 2020

Re: Onboard Use only the certificate for authentication

Thanks =)


@victorfabian wrote:

You can use ClearPass Onboarding and CPPM will act as the CA to hand out unique cert to each client.

 

During the onboarding process each device will install the necessary certs to do EAP-TLS authentication .

 

This is the way you could have it :

- Use your existing 802.1X PEAP authentication / ClearPass service to redirect devices (SmartDevices) to do the onboarding process .

- Once the device has completed the onboarding process then it will reauth but this time will be using  EAP-TLS.

 

Here's the ASE solution for a single SSID:

https://ase.arubanetworks.com/solution/id/34


 

Andrea
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: