Security

Put this together while talking with several customers about onboarding options. Realize that this might be imperfect or incomplete but the intent is to get our community a good foundational understanding of the ins and outs of ClearPass Onboard. If you'd like to hear more or have a comment, please reply!  Thanks!

This document covers 

• Overview of certificates
• What is Onboard
• Features of onboard
• Start to finish configuration of Onboard
• Customizing the Galleria skin
• Advanced Onboard policies
• Configuring self-service

------------------------------
Seth Fiermonti
------------------------------

Cool overview, thank you!
A question though: how can I identify when a device was last seen? My task: free up Onboard licenses from devices, that are not used anymore (offline for more than 6 months).
I could check the Endpoint repository, but this seems not to be the most efficient way.

------------------------------
Dario Natale
------------------------------

Original Message:
Sent: Feb 03, 2022 11:40 AM
From: Seth Fiermonti
Subject: ClearPass Onboard How-To Tech Guide

Put this together while talking with several customers about onboarding options. Realize that this might be imperfect or incomplete but the intent is to get our community a good foundational understanding of the ins and outs of ClearPass Onboard. If you'd like to hear more or have a comment, please reply!  Thanks!

This document covers 

• Overview of certificates
• What is Onboard
• Features of onboard
• Start to finish configuration of Onboard
• Customizing the Galleria skin
• Advanced Onboard policies
• Configuring self-service

------------------------------
Seth Fiermonti
------------------------------

Hello!
Been a while since I did an Onboard setup for a customer, and currently having a struggle getting it to work. This post had nice timing ;)
There has definately been some changes to onboard the past years. Client side has changed for the worse, right?
 
Quickconnect Android / Windows I'm unable to get working. It just fails "unable to download valid credentials" or something like that. Clients terminate on a Citrix ADC with just https allowed towards specific URLs /guest/ and /onboard. Will we have to open up http towards CPPM for OCSP? Currently I have configured without OCSP just to see if I can get this to work.

IOS/iPad works, but it's very far from as smooth of an experience how it used to be. Now it seems there is alot more the client have to do without being guided to it. Like the Root CA cert isn't trusted automatically. I have to manually go do that. The profile isn't installed automatically either during the process, it's just downloaded and I have to find out where it was placed and choose to install it.
 
->Could this be due to not having a Publics Code Signing cert?
-> Can the code signing cert be wildcard?



------------------------------
John-Egil Solberg |
ACMX | ACCX
------------------------------

Original Message:
Sent: Feb 03, 2022 11:40 AM
From: Seth Fiermonti
Subject: ClearPass Onboard How-To Tech Guide

Put this together while talking with several customers about onboarding options. Realize that this might be imperfect or incomplete but the intent is to get our community a good foundational understanding of the ins and outs of ClearPass Onboard. If you'd like to hear more or have a comment, please reply!  Thanks!

This document covers 

• Overview of certificates
• What is Onboard
• Features of onboard
• Start to finish configuration of Onboard
• Customizing the Galleria skin
• Advanced Onboard policies
• Configuring self-service

------------------------------
Seth Fiermonti
------------------------------

So.. Might have gotten the Quickconnect part working by changing the Identity Key-type to be created by server, instead of created by device.. Changed from the default 2048-bit - created by device, to 2096 - created by server. Now works fine. The errorlogs indicate that it seems like the client needs access to CPPM EST to be able to generate the cert itself, and we haven't activated the EST or SCEP parts of the CA auth.

------------------------------
John-Egil Solberg |
ACMX | ACCX
------------------------------

Original Message:
Sent: Feb 03, 2022 11:40 AM
From: Seth Fiermonti
Subject: ClearPass Onboard How-To Tech Guide

Put this together while talking with several customers about onboarding options. Realize that this might be imperfect or incomplete but the intent is to get our community a good foundational understanding of the ins and outs of ClearPass Onboard. If you'd like to hear more or have a comment, please reply!  Thanks!

This document covers 

• Overview of certificates
• What is Onboard
• Features of onboard
• Start to finish configuration of Onboard
• Customizing the Galleria skin
• Advanced Onboard policies
• Configuring self-service

------------------------------
Seth Fiermonti
------------------------------

Yes...that was it. I would not use a wildcard cert however if you still are and EST is needed to enroll completely.

------------------------------
Seth Fiermonti
------------------------------

Original Message:
Sent: May 25, 2022 05:50 AM
From: John Solberg
Subject: ClearPass Onboard How-To Tech Guide

So.. Might have gotten the Quickconnect part working by changing the Identity Key-type to be created by server, instead of created by device.. Changed from the default 2048-bit - created by device, to 2096 - created by server. Now works fine. The errorlogs indicate that it seems like the client needs access to CPPM EST to be able to generate the cert itself, and we haven't activated the EST or SCEP parts of the CA auth.

------------------------------
John-Egil Solberg |
ACMX | ACCX

Original Message:
Sent: Feb 03, 2022 11:40 AM
From: Seth Fiermonti
Subject: ClearPass Onboard How-To Tech Guide

Put this together while talking with several customers about onboarding options. Realize that this might be imperfect or incomplete but the intent is to get our community a good foundational understanding of the ins and outs of ClearPass Onboard. If you'd like to hear more or have a comment, please reply!  Thanks!

This document covers 

• Overview of certificates
• What is Onboard
• Features of onboard
• Start to finish configuration of Onboard
• Customizing the Galleria skin
• Advanced Onboard policies
• Configuring self-service

------------------------------
Seth Fiermonti
------------------------------

You can use these settings in the Provisioning Settings

------------------------------
Seth Fiermonti
------------------------------

Original Message:
Sent: May 25, 2022 05:50 AM
From: John Solberg
Subject: ClearPass Onboard How-To Tech Guide

So.. Might have gotten the Quickconnect part working by changing the Identity Key-type to be created by server, instead of created by device.. Changed from the default 2048-bit - created by device, to 2096 - created by server. Now works fine. The errorlogs indicate that it seems like the client needs access to CPPM EST to be able to generate the cert itself, and we haven't activated the EST or SCEP parts of the CA auth.

------------------------------
John-Egil Solberg |
ACMX | ACCX

Original Message:
Sent: Feb 03, 2022 11:40 AM
From: Seth Fiermonti
Subject: ClearPass Onboard How-To Tech Guide

Put this together while talking with several customers about onboarding options. Realize that this might be imperfect or incomplete but the intent is to get our community a good foundational understanding of the ins and outs of ClearPass Onboard. If you'd like to hear more or have a comment, please reply!  Thanks!

This document covers 

• Overview of certificates
• What is Onboard
• Features of onboard
• Start to finish configuration of Onboard
• Customizing the Galleria skin
• Advanced Onboard policies
• Configuring self-service

------------------------------
Seth Fiermonti
------------------------------