Security

last person joined: 12 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Wifi authentication problem: with android and windows 7 clients

This thread has been viewed 0 times

  • 1.  Wifi authentication problem: with android and windows 7 clients

    Posted Feb 10, 2019 11:03 PM

    I have deployed aruba instant + clearpass policy manager on our environment. The clearpass policy manager has been configured radius service, and integrated with existing windows AD. The clients will authenticate with their AD account every time when they connect to the wifi network.


    I found that on IOS devices, the client can connect to wifi by just entering their AD credentials. But for android and windows 7 clients, I need to create wifi profile manually on their devices, specifying the auth medod (e.g. EAP-PEAP)and no CA validation. Is there any configuration available on aruba instant or clearpass that I can change so that it can avoid creating Wifi profile on android and windows 7 clients, and connect to wifi network directly just like IOS device does? Thanks.



  • 2.  RE: Wifi authentication problem: with android and windows 7 clients

    EMPLOYEE
    Posted Feb 10, 2019 11:10 PM
    You should deploy ClearPass Onboard.


  • 3.  RE: Wifi authentication problem: with android and windows 7 clients

    Posted Feb 11, 2019 01:08 AM

    Hi Tim,

     

    Thanks very much for your reply. As I know Clearpass onboard provides a same web portal login for clients which guides them to connect to Wifi network, no matter what types of devices they are using. However, our environment must allow users connecting to wifi by just entering their AD credentials, with no other options and web portal login is involved. May I confirm that deploying Clearpass onboard can handle our situation? Thanks.



  • 4.  RE: Wifi authentication problem: with android and windows 7 clients

    EMPLOYEE
    Posted Feb 13, 2019 07:28 AM

    No, it doesn't and it is a bad idea to use AD credentials (PEAP-MSCHAPv2) in such a situation as the MSCHAPv2 protocol is cracked. Onboard deploys a device unique certificate to overcome that issue.

     

    To understand why client configuration takes so much effort, check this post for some more background.



  • 5.  RE: Wifi authentication problem: with android and windows 7 clients

    EMPLOYEE
    Posted Feb 13, 2019 12:17 PM
    So it sounds like the security of your user’s credentials is not important to your organization?


  • 6.  RE: Wifi authentication problem: with android and windows 7 clients

    Posted Feb 15, 2019 08:26 AM

    @timcappalli  First off Go Pats, Fellow Bostonian here at a company your would be familiar with.  

     

    I don't want to derail this thread but we recently hired a consultant for are CPPM deyployment in support of our wireless initiative.  We were directed to go with EAP-PEAP as opposed to EAP-TLS because the organization was not in a position to manage a PKI.  I'm now concerned because we would be using MSCHAPv2 authenticating our users via AD.  Is the onboard feature a PKI solution?

     

    If you could point me to any documentation that would offer clarity it would be greatly appreciated. 



  • 7.  RE: Wifi authentication problem: with android and windows 7 clients

    EMPLOYEE
    Posted Feb 15, 2019 11:33 AM

    While Onboard does use a PKI, it is not something you have to micromanage like a traditional PKI. You can have ClearPass Onboard configured in less than half hour.

     

    I would recommend reaching out to your Aruba or partner team to discuss a design.