Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Wired Onboarding

This thread has been viewed 10 times

  • 1.  Wired Onboarding

    Posted Jan 31, 2019 09:51 AM

    Sifus,

     

    I've a deplyment whereby all the endpoint is onboarded through Wi-Fi. its all working well with authentication using EAP-TLS for the SSID. 

     

    Now, they wanted to intergrate their 2930M switch with clearpass as well. The work flow is, any laptops that plugged in to the network ports must be authenticated and onboarded as well. 

     

    Question is, does the same onboarded endpoint need to reonboarding thru wired or it would be able to authenticate directly using EAP-TLS seemlessly? 



  • 2.  RE: Wired Onboarding

    EMPLOYEE
    Posted Jan 31, 2019 12:46 PM
    If you did not have wired settings as part of the Onboard config, then the device will not have a configured supplicant but the cert is still valid for wired.


  • 3.  RE: Wired Onboarding

    Posted Jan 31, 2019 07:25 PM
    Hi Tim,

    How do I make the supplicant configured for wired? I have to do reonbording again?

    Any idea how do I ensure seemles wired authentication to the same laptop?


  • 4.  RE: Wired Onboarding

    EMPLOYEE
    Posted Jan 31, 2019 07:30 PM
    If you didn't add a wired config to Onboard then you'd either have to re-onboard the device after adding it or manually configure the devices.


  • 5.  RE: Wired Onboarding

    Posted Jan 31, 2019 07:41 PM
    But reonbording the device will give notification that device is already provisioned, please click here.

    Our objective is to give same user role via putn to laptop


  • 6.  RE: Wired Onboarding

    EMPLOYEE
    Posted Feb 01, 2019 03:05 AM

    Two things here. First is that if you configured the Network Settings in your Onboarding workflow as: 'Both - Wired and Wireless', and the wired network adapter was available during the onboarding process (for example if you have an USB ethernet which was nor connected, it will not be configured):

    Screen Shot 2019-02-01 at 08.51.58.png

    .. in that case, you should be fine and the wired should be configured.

     

    If you have not provisioned the wired settings, the client certificate is already present and you have two options:

    - go through the onboarding process again, to have the settings configured by the onboarding process. If you see the message that the device is provisioned already, you can ignore that and just continue.

    - as the certificate is already there, you can also go into the settings for your wired network card and manually configure the authentication method (EAP-TLS), server name, server certificate, etc.

     

    That second procedure needs some manual work by a somewhat skilled user. But if you have a handful of devices it is probably the fastest.

     

    In a very large deployment, I would create a second (new) Onboarding CA, and then when a client connects with a certificate issued by the old CA you can return a role that places the user in the onboarding process again to get a new certificate with new settings pushed for wired and wireless. You can add ?reprovision=1 to the redirect URL (or &reprovision=1 if it is not the first attribute in the URL) to skip the 'you are already provisioned' message. In this way, you can make sure that all users with old settings are guided through the onboarding process.