Security

Reply
Frequent Contributor II

Onboard wired devices

Hi,

 

I'm having difficulty to come up with a solution for onboarding wired devices (mostly Windows 10 hosts). One of the common way is to first authenticate them with PEAP, and then let ClearPass return the URL for the switch to redirect users to onboard page. But my environment uses Azure AD and we don't want to join ClearPass to this AD, which makes PEAP-MSCHAPv2 isn't possible. 

 

So, is there any other way to automatically redirect wired devices to onboard page, and after they've been provisioned we'll let them authenticate with EAP-TLS?

 

Any ideas are greatly appreciated.

 

Regards,

Frequent Contributor I

Re: Onboard wired devices

Hi,

 

as you have mentined you don't want to join CP to Azure AD, so you really are limiting your options, as you still need a way to authenticated the devices prior to onboarding.

 

an option could be wired enforcement with captive portal then use SAML SSO to authenticate the user to ADFS (or another SAML provider).

ACCX#1050 ACMP CWDP CWSP
Frequent Contributor II

Re: Onboard wired devices

Hi matthew,

 

I'm using ArubaOS switch, and I see that it has the option to specify multiple authentication methods on the port (802.1X, MAC auth, captive portal). But if we set 802.1X first and then captive portal, the users would have to fail 802.1X before being able to fallback to captive portal, which is not very good in terms of user experience. And if we set captive portal first, they might be redirected every time the port comes up, and not being able to authenticate by EAP-TLS. 

 

That's what I understand about ArubaOS switch's behavior, and I'm afraid it may not work that way. Am I missing something?

 

Regards,

Frequent Contributor I

Re: Onboard wired devices

yes the user would fail auth, but as you are not wanting to join AD your options are very limited.

ACCX#1050 ACMP CWDP CWSP

Re: Onboard wired devices





Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite

Re: Onboard wired devices

Simply set up a wired captive portal workflow to take the user through the process.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor II

Re: Onboard wired devices

Hi Tim,

 

I think for that to work we need to configure both 802.1X and captive portal on the switch port, with captive portal as the fallback. And the user would have to fail 802.1X first before captive portal and the onboard process get applied. Correct?

 

 

Guru Elite

Re: Onboard wired devices

Yes. Please look at the ClearPass Solution Guide for Wired Policy Enforcement.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: