Community Home > Discuss > Technology > Security > Re: Secure onboard byod provisioning

Security

Reply
john smith
Occasional Contributor II
john smith

Secure onboard byod provisioning

‎12-12-2017 06:01 AM

Hi all,

I have a case with secure provisioning method using clearpass.

My client worried with the provisioning method where we still need to enter ad credential in order to get the tls certificate from clearpass.

The case is there is a possibility where we connected to the rogue ap ssid and the attacker can get out ad credential.

As i know clearpass onboard can only integrate with few mfa solution like duo and kasada, and that kind of mfa solution is not acceptable since its not the popular mfa provider

Is there any best practice for secure byod provisioning using clearpass onboarding?
Alert a Moderator
Message 1 of 11
1,309 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: Secure onboard byod provisioning

‎12-12-2017 06:06 AM

You should always use dual SSID Onboarding and integrate with your existing unified login workflow (SSO).


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Alert a Moderator
Message 2 of 11
1,304 Views
Reply
0 Kudos
john smith
Occasional Contributor II
john smith

Re: Secure onboard byod provisioning

‎12-12-2017 06:33 AM

Hi tim

If we use dual ssid, lets say im using the existing open guest ssid for onboarding process. Dont we still need to fill ad credential to be able to download the quickconneft?
Alert a Moderator
Message 3 of 11
1,271 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: Secure onboard byod provisioning

‎12-12-2017 06:37 AM

Of course. How else would you validate the user? You should leverage your existing single sign on workflows for this.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Alert a Moderator
Message 4 of 11
1,264 Views
Reply
0 Kudos
john smith
Occasional Contributor II
john smith

Re: Secure onboard byod provisioning

‎12-12-2017 07:20 AM

like i said, there is the possibility that the user connected to a rogue AP and provide them the AD credential. for integration with existing SSO, any link related to this?

 

i am thinking about another workflow for secure onboard provisioning:

 

let say the user first complete guest registration like any other guests do. After that they will sign in using the credential sent to their email.

 

After this, Clearpass will use two different workflow for guest and BYOD by checking the email domain entered in the guest registration. If the domain is the user corporate domain, letsay xyz.com, then clearpass will redirect the user to onboarding portal, otherwise they will automatically get internet access. This will ensure the user to fill AD credential on onboarding portal to the correct corporate WLAN

 

can we do this?

Alert a Moderator
Message 5 of 11
1,252 Views
Reply
0 Kudos
Highlighted
Guru Elite Guru Elite
Guru Elite
cappalli

Re: Secure onboard byod provisioning

‎12-12-2017 07:35 AM

How are you preventing these concerns for ANY other web-based login in your environment?

 

The recommended Onboard flow is:

  1. User connects to your guest network
  2. User clicks the Onboard button
  3. User is taken to your SSO / unified login portal (which should be using an EV certificate for ease of verification)
  4. User logs in and is challenged to an MFA
  5. User performs MFA task and is redirected back to the Onboard portal to be issued their certificate.

 

I'm not really following how your proposed workflow works / solves anything.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Alert a Moderator
Message 6 of 11
1,238 Views
Reply
0 Kudos
john smith
Occasional Contributor II
john smith

Re: Secure onboard byod provisioning

‎12-12-2017 07:47 AM - edited ‎12-12-2017 07:53 AM

Hi tim 

 

The recommended Onboard flow is:

  1. User connects to your guest network
  2. User clicks the Onboard button
  3. User is taken to your SSO / unified login portal (which should be using an EV certificate for ease of verification)
  4. User logs in and is challenged to an MFA
  5. User performs MFA task and is redirected back to the Onboard portal to be issued their certificate.

Thank you!, i will check with the user with this SSO integration possibility

 

 

 

 

Alert a Moderator
Message 7 of 11
1,233 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: Secure onboard byod provisioning

‎12-12-2017 07:51 AM

But how do they get the guest credential? What's to stop a guest from getting an account?


Doesn't make any sense. Please use the recommended workflow.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Alert a Moderator
Message 8 of 11
1,229 Views
Reply
0 Kudos
john smith
Occasional Contributor II
john smith

Re: Secure onboard byod provisioning

‎12-12-2017 08:24 AM

Hi tim

 

But how do they get the guest credential? What's to stop a guest from getting an account?

 

By using sponsor approval? 

we can set the all guest (including BYOD user) to fill their PIC for sponsol approval and limited to the corporate xyz.com email domain. For BYOD case, they can fill their own corporate email as their sponsor and approve it by themself, then they will get the credential sent to their email. If they enter their corporate email for their identity in the guest registration, they will be redirected to onboard, otherwise they will only get ordinary guest rule which is internet access only and not being redirected to onboarding.

 

 

Alert a Moderator
Message 9 of 11
1,205 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: Secure onboard byod provisioning

‎12-12-2017 08:29 AM

I guess, but then you're going to have guest user accounts for all your employees. Seems very counter intuitive.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Alert a Moderator
Message 10 of 11
1,204 Views
Reply
0 Kudos
Search Airheads
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Related Software Downloads

  • No downloads to show

View All

© Copyright 2019 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium