Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

User management on onboarded devices

This thread has been viewed 0 times

  • 1.  User management on onboarded devices

    Posted Mar 31, 2015 06:00 PM

    Currently in the process of testing clearpass onboarding.  We are successfully able to provision clients and they are functioning as expected.  Two questions...

     

    1)  Is it possible to allow the users to self manage the devices they have registered with the system?  For example, if I set the maximum devices to 2, and they already have two devices configured, do they have the ability to remove one of those devices themselves and provision the new one?  (i.e. I got a new iphone 6, and I want to add it, but need to remove my 5s first)

    I notice under onboarding there is a self-service portal... which I believe requires a BYOD operator role to use, but the documentation is not clear what the url is or how to use it.

     

    2)  Is it possible to have onboarding remove the certificates from the user device?  We have noticed that if we remove access, the user still has the certificates installed, they must manually remove the profiles on their device before they can join the network using their AD credentials to reprovision.  (we are single ssid, so we auth with AD first, then pass to captive portal to enroll)  Any way around this?

    Thanks!

     

     



  • 2.  RE: User management on onboarded devices

    EMPLOYEE
    Posted Mar 31, 2015 06:02 PM
    1) yes. If you assign the users the BYOD Operator role in CPG, they should be able to see their devices and delete them.

    2) I don't believe this is possible.


    Thanks,
    Tim


  • 3.  RE: User management on onboarded devices

    Posted Apr 01, 2015 04:51 PM

    I've been able to give the role BYOD Operator, but where does the user navigate to in order to manage their devices?  Is there a specific URL?

     



  • 4.  RE: User management on onboarded devices

    EMPLOYEE
    Posted Apr 01, 2015 04:55 PM

    /guest will bring them to the self-service portal after login.

     



  • 5.  RE: User management on onboarded devices

    Posted Apr 01, 2015 04:58 PM

    Yes, it then asks them for credentials, but upon login, doesn't show any devices.  It shows their role as MacTrac Operator. 

     

    I'm thinking about just starting from scratch.  Something isn't right.

     



  • 6.  RE: User management on onboarded devices

    EMPLOYEE
    Posted Apr 01, 2015 05:00 PM
    Can you confirm from your admin view that the usernames match exactly?


  • 7.  RE: User management on onboarded devices

    Posted Apr 02, 2015 11:03 AM

    They now have the correct role when logging into /guest. 

     

    If I give the maximum number of devices allowed as 2 (for example) and they want to add a third, is there a way to direct the user to /guest for them to manage the device (guest/mdps_portal.php) automatically?

     

    We really want to take much of the management out of IT's hands and automate the process to be seamless for the user.  If they have added too many devices, we really want them to be directed to removing their own old devices without confusion.



  • 8.  RE: User management on onboarded devices

    EMPLOYEE
    Posted Apr 01, 2015 05:00 PM
    You need to tweak your admin login service to put them in the BYOD Operator
    role.