Possible to write a "role" to the Onboard Cert during provisioning?
07-22-2020 07:11 AM
Does anyone know if it is possible to write an attribute to the Onboard cert *during provisioning*?
We currently have it set up to use the "custom field" on the Onboard Web Login page. That field has an initial value set, and is hidden to the user. This value gets written to the cert and we can check for it in our EAP-TLS enforcement policy. This is working just fine.
What I would like to do (without having to create multiple Onboard Web Login pages with a different value set for that field , or providing a user the option to select the value for that custom field) is to write to that field during the Onboard process (either the Web Login Application Service, or during the Onboard Authorization service).
The user logs into the Onboard Web Login page using a Guest User account. That Guest account has a Role ID assigned (let's say 100, 200, or 300) when the account gets created.
I'd like to be able to check for that value, and write it to the cert in that "OnboardCustomField" value.
This would allows us to respond with a different aruba-user-role based on the value in that field. Meaning we could provide role-based access for Onboarded devices without relying on AD-authz role mapping.
Thanks in advance!
Re: Possible to write a "role" to the Onboard Cert during provisioning?
07-22-2020 10:53 AM
and to add:
Initially I considered using the endpoint DB and writing/looking for an attribute there. Unfortunately when the device disconnects from the guest SSID after Onboarding, to connect to the EAP-TLS SSID, it is seen as a new device (MAC randomization, Android 10 (and soon to be on iOS apparently)) so there are no endpoint attributes.