Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Remote Onboard w/ SCEP & MDM

This thread has been viewed 7 times

  • 1.  Remote Onboard w/ SCEP & MDM

    Posted Mar 14, 2016 10:01 PM

    I'm interested in automatically onboarding iPads over the Internet after MDM enrollment.  We want these iPads to have automatic access to the corporate network when they're visiting and keep them from having to onboard manually.  I read Danny's tech article on SCEP MDM integration and understand that what I want is possible with SCEP & an MDM solution.  However, I have reservations about exposing Clearpass to the Internet in order for the remote device to hit the SCEP URL and download its cert.  What ports are even needed?  How do you secure access only to the SCEP service?

     

    If anyone has configured SCEP and allowed remote access, I'd be interested to know about your implementation and the security you implemented.



  • 2.  RE: Remote Onboard w/ SCEP & MDM

    Posted Mar 14, 2016 10:31 PM
      |   view attached

    Jay,

     

    When I set this up and tested it I only NAT'd 443 through to my LAB from one of our PUBLIC IP's. 

     

    In addition beyond how you might add protection with your firewall/IPS for the traffic I suggest you tie down  and look to restrict access to CPPM using the Application ACL as shown in the picture.

    ClearPass_Policy_Manager_-_Aruba_Networks.png 

     

    HTH.



  • 3.  RE: Remote Onboard w/ SCEP & MDM

    Posted Mar 14, 2016 10:51 PM
    Thanks Danny.

    If you block external access to all of the services listed in your
    screenshot, is SCEP still available or is SCEP part of one of those
    services?

    Remote onboard may not be something I'm able to sell to myself or the
    company. Feeling a bit out of my comfort zone, unfortunately.


  • 4.  RE: Remote Onboard w/ SCEP & MDM

    Posted Mar 14, 2016 11:09 PM

    The SCEP enrollment is apart of OnBoard but I was just pointing out that you may/might want to lockdown some of the other CPPM apps. You can also add a PSK to the enrollment process as well as deny/allow based upon the source-subnet......

     

    Certificate_Authority_Settings__DJJ_.png

     

    could you utilize some open/PSK network that employees must connect to and this is LOCKED-DOWN to just 443 traffic for the correctly profiled devices and this becomes the source to grab their corporate certs they can then use for eap-tls?

     

    Or do you want them to just enroll and get their cert over 3G/4G/LTE.... harder to know the SRC IP@ here I guess, but not impossible.



  • 5.  RE: Remote Onboard w/ SCEP & MDM

    Posted Mar 15, 2016 10:37 PM

    We have a guest SSID that also serves as an onboarding SSID.  It could be used as you described; we'll probably do this anyway so that employees no longer have to manually onboard.  However, we still have hundreds of iPads in the field that we'd like to onboard remotely as a means of generating a user cert on the iPad that can be used for VPN.  We may just need to come up with another solution to get a cert on the devices as I'm just not very comfortable with remote SCEP now that I understand how it works.