Security

Reply
Highlighted
Occasional Contributor II

Wired Onboarding

Sifus,

 

I've a deplyment whereby all the endpoint is onboarded through Wi-Fi. its all working well with authentication using EAP-TLS for the SSID. 

 

Now, they wanted to intergrate their 2930M switch with clearpass as well. The work flow is, any laptops that plugged in to the network ports must be authenticated and onboarded as well. 

 

Question is, does the same onboarded endpoint need to reonboarding thru wired or it would be able to authenticate directly using EAP-TLS seemlessly? 

Guru Elite

Re: Wired Onboarding

If you did not have wired settings as part of the Onboard config, then the device will not have a configured supplicant but the cert is still valid for wired.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Wired Onboarding

Hi Tim,

How do I make the supplicant configured for wired? I have to do reonbording again?

Any idea how do I ensure seemles wired authentication to the same laptop?
Guru Elite

Re: Wired Onboarding

If you didn't add a wired config to Onboard then you'd either have to re-onboard the device after adding it or manually configure the devices.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Wired Onboarding

But reonbording the device will give notification that device is already provisioned, please click here.

Our objective is to give same user role via putn to laptop
MVP Guru

Re: Wired Onboarding

Two things here. First is that if you configured the Network Settings in your Onboarding workflow as: 'Both - Wired and Wireless', and the wired network adapter was available during the onboarding process (for example if you have an USB ethernet which was nor connected, it will not be configured):

Screen Shot 2019-02-01 at 08.51.58.png

.. in that case, you should be fine and the wired should be configured.

 

If you have not provisioned the wired settings, the client certificate is already present and you have two options:

- go through the onboarding process again, to have the settings configured by the onboarding process. If you see the message that the device is provisioned already, you can ignore that and just continue.

- as the certificate is already there, you can also go into the settings for your wired network card and manually configure the authentication method (EAP-TLS), server name, server certificate, etc.

 

That second procedure needs some manual work by a somewhat skilled user. But if you have a handful of devices it is probably the fastest.

 

In a very large deployment, I would create a second (new) Onboarding CA, and then when a client connects with a certificate issued by the old CA you can return a role that places the user in the onboarding process again to get a new certificate with new settings pushed for wired and wireless. You can add ?reprovision=1 to the redirect URL (or &reprovision=1 if it is not the first attribute in the URL) to skip the 'you are already provisioned' message. In this way, you can make sure that all users with old settings are guided through the onboarding process.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: