Security

Reply
Highlighted
Occasional Contributor II

Onboard provisioning while using 802.1x GPO

I am in the midst of setting up Onboard for my wired 802.1x environment.

 

In order to enable 802.1x on Windows clients, I have deployed a GPO that turns on Wired AutoConfig and configures the 802.1x service to use EAP PEAP as authentication.

 

When trying to Onboard a client, the QuickConnect provisioner needs to change the 802.1.x config to EAP TLS, however, due to the GPO, the 802.1x settings cannot be changed and QuickConnect fails to properly provision the client.

 

Has anyone else run into the same situation and what was your solution?

Were you able to still enable and configure 802.1x settings via GPO and somehow have QuickConnect provisioner update to EAP TLS when Onboarding?


Accepted Solutions
Moderator

Re: Onboard provisioning while using 802.1x GPO

Yes, the supplicant needs to be configured via your management platform.

 

CPPM Onboard Assisted Provisioning is not supported for managed devices.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post


All Replies
Highlighted
MVP Expert

Re: Onboard provisioning while using 802.1x GPO

You should consider removing the GPO and instead redirecting the device to the Onboarding Captive Portal page.

I would recommend to use ADCS and Cert autoenrollment if you are planning on deploying certificates for Windows Domain devices

Onboarding is meant to be use for BYOD

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Occasional Contributor II

Re: Onboard provisioning while using 802.1x GPO

So I need the Windows workstations to have Wired Autoconfig service set to auto start, as by default it is a manual start service.

 

And I also need clients to have 802.1x configured for EAP-PEAP that will not be Onboarding.

 

Would I just be better off manually applying the 802.1x settings on the Windows client?

Moderator

Re: Onboard provisioning while using 802.1x GPO

Yes, the supplicant needs to be configured via your management platform.

 

CPPM Onboard Assisted Provisioning is not supported for managed devices.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted
Occasional Contributor II

Re: Onboard provisioning while using 802.1x GPO

Thank you, that seems to put this in order for me.

 

At the current stage of our deployment, its wired 802.1x for domain machines and MAC Auth for networked devices. We also plan on deploying OnGuard for 802.1x posture checks. OnBoard doesn't seem to have any use in our intended setup based on what you've explained.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: