Security

Hi,

I try to make an design for BYOD device with two SSID: One open SSID for provisionning device (with only an access to an captive portal) and the other SSID with EAP /MSCHAP V2 for provisionned device.The user authenticate over the captive portal with their Active Directory credentials and must have unique credential to access the 2nd SSID. The user must not know the credential used for the second SSID.Is it possible with this design?Authentication throught captive portal work with user credential from AD.I don't know how to generate unique credential to be provisionned for the second SSID

Can you please specify what you want to achieve with this setup?

i believe that is exactly what clearpass onboard will do for you, after you have been authorized it will create credentials for the other SSID if you configure it that like that.

Yes, you can configure a wireless network with OnBoard. If you provision the client for a WPA2-Enterprise SSID it will create unique device credential (it contains MAC address, OS version, IMEI number etc.) for the user and that will be used in the authenticating process. There is CA server on the Clearpass which will issue this unique device certificate for the user. You can configure this network to only allow connections from the onboarded devices or put them into different roles, disable certain devices (revoke the certificate or do it manually) etc.