Security

Hello,

I have a question about the OnBoarding feature in Clearpass. We are trying to implement OnBoarding for the byod on our network. I know that there are multiple options out to implement the feature, for example by using a single SSID or dual SSID. I got some feedback already that using dual SSID is better then using a single SSID because there can be problems with the network profile configuration when using a single SSID.

My question is the following;
When does the authentication happen in the OnBoarding workflow? Is it only when the user needs to fil in the user credentials on the provisioning page? Or does the user also has to put in his or her credentials in the 'quickconnect' app after installing it? I am asking this because I want to know if it is possible to skip the part of sending users to the provisioning page. I want to send a email to al of the users to inform them about the app and that is the reason why I need to know if the users need to authenticate on the app as well. 

And is this even possible? Or do the users need to go to the provisioning page in order to onboard their device?
And is it save to let them login on the webpage using their credentials on a 'open' guest SSID for onboarding?

Kind regards,

Jer

How would you provision the device if they skip the OnBoarding page?  This piece is required for BYOD AFAIK.  Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution.

Hello,

I have a question about the OnBoarding feature in Clearpass. We are trying to implement OnBoarding for the byod on our network. I know that there are multiple options out to implement the feature, for example by using a single SSID or dual SSID. I got some feedback already that using dual SSID is better then using a single SSID because there can be problems with the network profile configuration when using a single SSID.

My question is the following;
When does the authentication happen in the OnBoarding workflow? Is it only when the user needs to fil in the user credentials on the provisioning page? Or does the user also has to put in his or her credentials in the 'quickconnect' app after installing it? I am asking this because I want to know if it is possible to skip the part of sending users to the provisioning page. I want to send a email to al of the users to inform them about the app and that is the reason why I need to know if the users need to authenticate on the app as well. 

And is this even possible? Or do the users need to go to the provisioning page in order to onboard their device?
And is it save to let them login on the webpage using their credentials on a 'open' guest SSID for onboarding?

Kind regards,

Jer

Well I thought that you maybe able to send the application "quickconnect app" to the user (for example using email) and let them download it. But then, after I published this topic, I realised that the user needs to be connected to the network in order to get provisioned.

But then my question is, is it secure to let the users login using their AD credentials on the 'open' guest network in order to start the device provisioning?

"Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution."

We are using Intune to enroll domain devices for the employees. But can you also add BYOD to intune? We only need it to push a unique certificate to the device in order to connect to the corp network, that's why we where looking for OnBoarding.

How would you provision the device if they skip the OnBoarding page?  This piece is required for BYOD AFAIK.  Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution.

Hello,

I have a question about the OnBoarding feature in Clearpass. We are trying to implement OnBoarding for the byod on our network. I know that there are multiple options out to implement the feature, for example by using a single SSID or dual SSID. I got some feedback already that using dual SSID is better then using a single SSID because there can be problems with the network profile configuration when using a single SSID.

My question is the following;
When does the authentication happen in the OnBoarding workflow? Is it only when the user needs to fil in the user credentials on the provisioning page? Or does the user also has to put in his or her credentials in the 'quickconnect' app after installing it? I am asking this because I want to know if it is possible to skip the part of sending users to the provisioning page. I want to send a email to al of the users to inform them about the app and that is the reason why I need to know if the users need to authenticate on the app as well. 

And is this even possible? Or do the users need to go to the provisioning page in order to onboard their device?
And is it save to let them login on the webpage using their credentials on a 'open' guest SSID for onboarding?

Kind regards,

Jer

Yes, as long as your OnBoarding page is using HTTPS those credentials are fully encrypted with HTTPS.

I wouldn't use ClearPass OnBoard at all then.  Integrate InTune with ClearPass for endpoint data and use InTune to push the certificate and SSID settings.  No dealing with certificate trust issues, no apps to download, no captive portal, etc.

Well I thought that you maybe able to send the application "quickconnect app" to the user (for example using email) and let them download it. But then, after I published this topic, I realised that the user needs to be connected to the network in order to get provisioned.

But then my question is, is it secure to let the users login using their AD credentials on the 'open' guest network in order to start the device provisioning?

"Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution."

We are using Intune to enroll domain devices for the employees. But can you also add BYOD to intune? We only need it to push a unique certificate to the device in order to connect to the corp network, that's why we where looking for OnBoarding.

How would you provision the device if they skip the OnBoarding page?  This piece is required for BYOD AFAIK.  Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution.

Hello,

I have a question about the OnBoarding feature in Clearpass. We are trying to implement OnBoarding for the byod on our network. I know that there are multiple options out to implement the feature, for example by using a single SSID or dual SSID. I got some feedback already that using dual SSID is better then using a single SSID because there can be problems with the network profile configuration when using a single SSID.

My question is the following;
When does the authentication happen in the OnBoarding workflow? Is it only when the user needs to fil in the user credentials on the provisioning page? Or does the user also has to put in his or her credentials in the 'quickconnect' app after installing it? I am asking this because I want to know if it is possible to skip the part of sending users to the provisioning page. I want to send a email to al of the users to inform them about the app and that is the reason why I need to know if the users need to authenticate on the app as well. 

And is this even possible? Or do the users need to go to the provisioning page in order to onboard their device?
And is it save to let them login on the webpage using their credentials on a 'open' guest SSID for onboarding?

Kind regards,

Jer

Thanks for the quick response Ahollifield,

So for my understanding, I can integrate Intune with the byod from employees in a company and push a unique certificate using Intune?

Yes, as long as your OnBoarding page is using HTTPS those credentials are fully encrypted with HTTPS.

I wouldn't use ClearPass OnBoard at all then.  Integrate InTune with ClearPass for endpoint data and use InTune to push the certificate and SSID settings.  No dealing with certificate trust issues, no apps to download, no captive portal, etc.

Well I thought that you maybe able to send the application "quickconnect app" to the user (for example using email) and let them download it. But then, after I published this topic, I realised that the user needs to be connected to the network in order to get provisioned.

But then my question is, is it secure to let the users login using their AD credentials on the 'open' guest network in order to start the device provisioning?

"Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution."

We are using Intune to enroll domain devices for the employees. But can you also add BYOD to intune? We only need it to push a unique certificate to the device in order to connect to the corp network, that's why we where looking for OnBoarding.

How would you provision the device if they skip the OnBoarding page?  This piece is required for BYOD AFAIK.  Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution.

Hello,

I have a question about the OnBoarding feature in Clearpass. We are trying to implement OnBoarding for the byod on our network. I know that there are multiple options out to implement the feature, for example by using a single SSID or dual SSID. I got some feedback already that using dual SSID is better then using a single SSID because there can be problems with the network profile configuration when using a single SSID.

My question is the following;
When does the authentication happen in the OnBoarding workflow? Is it only when the user needs to fil in the user credentials on the provisioning page? Or does the user also has to put in his or her credentials in the 'quickconnect' app after installing it? I am asking this because I want to know if it is possible to skip the part of sending users to the provisioning page. I want to send a email to al of the users to inform them about the app and that is the reason why I need to know if the users need to authenticate on the app as well. 

And is this even possible? Or do the users need to go to the provisioning page in order to onboard their device?
And is it save to let them login on the webpage using their credentials on a 'open' guest SSID for onboarding?

Kind regards,

Jer

Yes.  InTune has the ability to push certificate's from a CA to managed devices.  You can use these certificates to authenticate to ClearPass.  You can then also use the InTune extension in ClearPass to get more endpoint attributes from InTune to do further granular enforcement.

Thanks for the quick response Ahollifield,

So for my understanding, I can integrate Intune with the byod from employees in a company and push a unique certificate using Intune?

Yes, as long as your OnBoarding page is using HTTPS those credentials are fully encrypted with HTTPS.

I wouldn't use ClearPass OnBoard at all then.  Integrate InTune with ClearPass for endpoint data and use InTune to push the certificate and SSID settings.  No dealing with certificate trust issues, no apps to download, no captive portal, etc.

Well I thought that you maybe able to send the application "quickconnect app" to the user (for example using email) and let them download it. But then, after I published this topic, I realised that the user needs to be connected to the network in order to get provisioned.

But then my question is, is it secure to let the users login using their AD credentials on the 'open' guest network in order to start the device provisioning?

"Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution."

We are using Intune to enroll domain devices for the employees. But can you also add BYOD to intune? We only need it to push a unique certificate to the device in order to connect to the corp network, that's why we where looking for OnBoarding.

How would you provision the device if they skip the OnBoarding page?  This piece is required for BYOD AFAIK.  Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution.

Hello,

I have a question about the OnBoarding feature in Clearpass. We are trying to implement OnBoarding for the byod on our network. I know that there are multiple options out to implement the feature, for example by using a single SSID or dual SSID. I got some feedback already that using dual SSID is better then using a single SSID because there can be problems with the network profile configuration when using a single SSID.

My question is the following;
When does the authentication happen in the OnBoarding workflow? Is it only when the user needs to fil in the user credentials on the provisioning page? Or does the user also has to put in his or her credentials in the 'quickconnect' app after installing it? I am asking this because I want to know if it is possible to skip the part of sending users to the provisioning page. I want to send a email to al of the users to inform them about the app and that is the reason why I need to know if the users need to authenticate on the app as well. 

And is this even possible? Or do the users need to go to the provisioning page in order to onboard their device?
And is it save to let them login on the webpage using their credentials on a 'open' guest SSID for onboarding?

Kind regards,

Jer

Thanks,

Maybe one more stupid question. How can we add 'unmanaged' devices such as byod to Intune, is there an application out there that needs to be installed on the employee's personal devices or how does this work?

Original Message:
Sent: May 25, 2023 07:51 AM
From: ahollifield
Subject: Onboarding authentication

Yes.  InTune has the ability to push certificate's from a CA to managed devices.  You can use these certificates to authenticate to ClearPass.  You can then also use the InTune extension in ClearPass to get more endpoint attributes from InTune to do further granular enforcement.

Original Message:
Sent: May 25, 2023 07:46 AM
From: Jer.S
Subject: Onboarding authentication

Thanks for the quick response Ahollifield,

So for my understanding, I can integrate Intune with the byod from employees in a company and push a unique certificate using Intune?

Original Message:
Sent: May 25, 2023 07:40 AM
From: ahollifield
Subject: Onboarding authentication

Yes, as long as your OnBoarding page is using HTTPS those credentials are fully encrypted with HTTPS.

I wouldn't use ClearPass OnBoard at all then.  Integrate InTune with ClearPass for endpoint data and use InTune to push the certificate and SSID settings.  No dealing with certificate trust issues, no apps to download, no captive portal, etc.

Original Message:
Sent: May 25, 2023 07:31 AM
From: Jer.S
Subject: Onboarding authentication

Well I thought that you maybe able to send the application "quickconnect app" to the user (for example using email) and let them download it. But then, after I published this topic, I realised that the user needs to be connected to the network in order to get provisioned.

But then my question is, is it secure to let the users login using their AD credentials on the 'open' guest network in order to start the device provisioning?

"Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution."

We are using Intune to enroll domain devices for the employees. But can you also add BYOD to intune? We only need it to push a unique certificate to the device in order to connect to the corp network, that's why we where looking for OnBoarding.

Original Message:
Sent: May 24, 2023 10:37 AM
From: ahollifield
Subject: Onboarding authentication

How would you provision the device if they skip the OnBoarding page?  This piece is required for BYOD AFAIK.  Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution.

Original Message:
Sent: May 24, 2023 02:30 AM
From: Jer.S
Subject: Onboarding authentication

Hello,

I have a question about the OnBoarding feature in Clearpass. We are trying to implement OnBoarding for the byod on our network. I know that there are multiple options out to implement the feature, for example by using a single SSID or dual SSID. I got some feedback already that using dual SSID is better then using a single SSID because there can be problems with the network profile configuration when using a single SSID.

My question is the following;
When does the authentication happen in the OnBoarding workflow? Is it only when the user needs to fil in the user credentials on the provisioning page? Or does the user also has to put in his or her credentials in the 'quickconnect' app after installing it? I am asking this because I want to know if it is possible to skip the part of sending users to the provisioning page. I want to send a email to al of the users to inform them about the app and that is the reason why I need to know if the users need to authenticate on the app as well. 

And is this even possible? Or do the users need to go to the provisioning page in order to onboard their device?
And is it save to let them login on the webpage using their credentials on a 'open' guest SSID for onboarding?

Kind regards,

Jer

No such thing as a stupid question :) But no this isn't possible.  The device must be enrolled and managed by InTune.  What is the use-case for allowing employee personal, unknown, unmanaged devices on the network in the first place though?  Why not just use a guest portal flow rather than OnBoard?

Original Message:
Sent: May 25, 2023 07:57 AM
From: Jer.S
Subject: Onboarding authentication

Thanks,

Maybe one more stupid question. How can we add 'unmanaged' devices such as byod to Intune, is there an application out there that needs to be installed on the employee's personal devices or how does this work?

Original Message:
Sent: May 25, 2023 07:51 AM
From: ahollifield
Subject: Onboarding authentication

Yes.  InTune has the ability to push certificate's from a CA to managed devices.  You can use these certificates to authenticate to ClearPass.  You can then also use the InTune extension in ClearPass to get more endpoint attributes from InTune to do further granular enforcement.

Original Message:
Sent: May 25, 2023 07:46 AM
From: Jer.S
Subject: Onboarding authentication

Thanks for the quick response Ahollifield,

So for my understanding, I can integrate Intune with the byod from employees in a company and push a unique certificate using Intune?

Original Message:
Sent: May 25, 2023 07:40 AM
From: ahollifield
Subject: Onboarding authentication

Yes, as long as your OnBoarding page is using HTTPS those credentials are fully encrypted with HTTPS.

I wouldn't use ClearPass OnBoard at all then.  Integrate InTune with ClearPass for endpoint data and use InTune to push the certificate and SSID settings.  No dealing with certificate trust issues, no apps to download, no captive portal, etc.

Original Message:
Sent: May 25, 2023 07:31 AM
From: Jer.S
Subject: Onboarding authentication

Well I thought that you maybe able to send the application "quickconnect app" to the user (for example using email) and let them download it. But then, after I published this topic, I realised that the user needs to be connected to the network in order to get provisioned.

But then my question is, is it secure to let the users login using their AD credentials on the 'open' guest network in order to start the device provisioning?

"Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution."

We are using Intune to enroll domain devices for the employees. But can you also add BYOD to intune? We only need it to push a unique certificate to the device in order to connect to the corp network, that's why we where looking for OnBoarding.

Original Message:
Sent: May 24, 2023 10:37 AM
From: ahollifield
Subject: Onboarding authentication

How would you provision the device if they skip the OnBoarding page?  This piece is required for BYOD AFAIK.  Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution.

Original Message:
Sent: May 24, 2023 02:30 AM
From: Jer.S
Subject: Onboarding authentication

Hello,

I have a question about the OnBoarding feature in Clearpass. We are trying to implement OnBoarding for the byod on our network. I know that there are multiple options out to implement the feature, for example by using a single SSID or dual SSID. I got some feedback already that using dual SSID is better then using a single SSID because there can be problems with the network profile configuration when using a single SSID.

My question is the following;
When does the authentication happen in the OnBoarding workflow? Is it only when the user needs to fil in the user credentials on the provisioning page? Or does the user also has to put in his or her credentials in the 'quickconnect' app after installing it? I am asking this because I want to know if it is possible to skip the part of sending users to the provisioning page. I want to send a email to al of the users to inform them about the app and that is the reason why I need to know if the users need to authenticate on the app as well. 

And is this even possible? Or do the users need to go to the provisioning page in order to onboard their device?
And is it save to let them login on the webpage using their credentials on a 'open' guest SSID for onboarding?

Kind regards,

Jer

We currently have three different SSID's active for clients to connect to;
Guest SSID – internet access for guests
BYOD SSID – basically the same as the guest SSID but for unmanaged BYOD from employees with only internet access
Corp SSID – This is the SSID where the domain / managed device will connect to.

We want to redesign our network by reducing the SSID's back to two instead of three. We came across two options;
1. Guest and BYOD SSID together where guests have a re-auth time of 4 hours and employees have 8 hours and the bandwidth is a little higher for employees
2. BYOD and Corp SSID together with OnBoarding to have BYOD on the corp SSID with certificates (But still internet only for BYOD)

And I thought that the first options is a little unsecure because we need to let employees connect with their AD credentials on the guest network in order to let Clearpass know that it is an employee instead of a guest to give a longer re-auth time etc.

Original Message:
Sent: May 25, 2023 08:05 AM
From: ahollifield
Subject: Onboarding authentication

No such thing as a stupid question :) But no this isn't possible.  The device must be enrolled and managed by InTune.  What is the use-case for allowing employee personal, unknown, unmanaged devices on the network in the first place though?  Why not just use a guest portal flow rather than OnBoard?

Original Message:
Sent: May 25, 2023 07:57 AM
From: Jer.S
Subject: Onboarding authentication

Thanks,

Maybe one more stupid question. How can we add 'unmanaged' devices such as byod to Intune, is there an application out there that needs to be installed on the employee's personal devices or how does this work?

Original Message:
Sent: May 25, 2023 07:51 AM
From: ahollifield
Subject: Onboarding authentication

Yes.  InTune has the ability to push certificate's from a CA to managed devices.  You can use these certificates to authenticate to ClearPass.  You can then also use the InTune extension in ClearPass to get more endpoint attributes from InTune to do further granular enforcement.

Original Message:
Sent: May 25, 2023 07:46 AM
From: Jer.S
Subject: Onboarding authentication

Thanks for the quick response Ahollifield,

So for my understanding, I can integrate Intune with the byod from employees in a company and push a unique certificate using Intune?

Original Message:
Sent: May 25, 2023 07:40 AM
From: ahollifield
Subject: Onboarding authentication

Yes, as long as your OnBoarding page is using HTTPS those credentials are fully encrypted with HTTPS.

I wouldn't use ClearPass OnBoard at all then.  Integrate InTune with ClearPass for endpoint data and use InTune to push the certificate and SSID settings.  No dealing with certificate trust issues, no apps to download, no captive portal, etc.

Original Message:
Sent: May 25, 2023 07:31 AM
From: Jer.S
Subject: Onboarding authentication

Well I thought that you maybe able to send the application "quickconnect app" to the user (for example using email) and let them download it. But then, after I published this topic, I realised that the user needs to be connected to the network in order to get provisioned.

But then my question is, is it secure to let the users login using their AD credentials on the 'open' guest network in order to start the device provisioning?

"Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution."

We are using Intune to enroll domain devices for the employees. But can you also add BYOD to intune? We only need it to push a unique certificate to the device in order to connect to the corp network, that's why we where looking for OnBoarding.

Original Message:
Sent: May 24, 2023 10:37 AM
From: ahollifield
Subject: Onboarding authentication

How would you provision the device if they skip the OnBoarding page?  This piece is required for BYOD AFAIK.  Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution.

Original Message:
Sent: May 24, 2023 02:30 AM
From: Jer.S
Subject: Onboarding authentication

Hello,

I have a question about the OnBoarding feature in Clearpass. We are trying to implement OnBoarding for the byod on our network. I know that there are multiple options out to implement the feature, for example by using a single SSID or dual SSID. I got some feedback already that using dual SSID is better then using a single SSID because there can be problems with the network profile configuration when using a single SSID.

My question is the following;
When does the authentication happen in the OnBoarding workflow? Is it only when the user needs to fil in the user credentials on the provisioning page? Or does the user also has to put in his or her credentials in the 'quickconnect' app after installing it? I am asking this because I want to know if it is possible to skip the part of sending users to the provisioning page. I want to send a email to al of the users to inform them about the app and that is the reason why I need to know if the users need to authenticate on the app as well. 

And is this even possible? Or do the users need to go to the provisioning page in order to onboard their device?
And is it save to let them login on the webpage using their credentials on a 'open' guest SSID for onboarding?

Kind regards,

Jer

In this design you should have Corp and Guest only.  Why treat employee personal devices any different than guests if they both just get basic internet.  If the user logs in with a guest account they get 4 hours or whatever their guest username lifetime is.  If a user logins in with AD crenditals then you can cache the mac for 8 hours, 8 days, whatever you like. Using AD credentials to login into the guest portal is fully supported and fully secure (HTTPS).  There isn't a security risk doing this.  Entering AD credentials directly into a unmanaged client supplicant config for PEAP/MS-CHAPv2 is less secure (MS-CHAPv2 is broken, see MS credential guard) than entering them into a TLS protected HTTPS session.

Speaking from a wireless/RF standpoint is also not typically best practice to bandwidth limit clients.  If the client is throttled (meaning their packets are dropped) this leads to a very poor user experience and causes the applications running on that client to retransmit their traffic which can potentially lead to more traffic on the wireless network.

Original Message:
Sent: May 25, 2023 08:19 AM
From: Jer.S
Subject: Onboarding authentication

We currently have three different SSID's active for clients to connect to;
Guest SSID – internet access for guests
BYOD SSID – basically the same as the guest SSID but for unmanaged BYOD from employees with only internet access
Corp SSID – This is the SSID where the domain / managed device will connect to.

We want to redesign our network by reducing the SSID's back to two instead of three. We came across two options;
1. Guest and BYOD SSID together where guests have a re-auth time of 4 hours and employees have 8 hours and the bandwidth is a little higher for employees
2. BYOD and Corp SSID together with OnBoarding to have BYOD on the corp SSID with certificates (But still internet only for BYOD)

And I thought that the first options is a little unsecure because we need to let employees connect with their AD credentials on the guest network in order to let Clearpass know that it is an employee instead of a guest to give a longer re-auth time etc.

Original Message:
Sent: May 25, 2023 08:05 AM
From: ahollifield
Subject: Onboarding authentication

No such thing as a stupid question :) But no this isn't possible.  The device must be enrolled and managed by InTune.  What is the use-case for allowing employee personal, unknown, unmanaged devices on the network in the first place though?  Why not just use a guest portal flow rather than OnBoard?

Original Message:
Sent: May 25, 2023 07:57 AM
From: Jer.S
Subject: Onboarding authentication

Thanks,

Maybe one more stupid question. How can we add 'unmanaged' devices such as byod to Intune, is there an application out there that needs to be installed on the employee's personal devices or how does this work?

Original Message:
Sent: May 25, 2023 07:51 AM
From: ahollifield
Subject: Onboarding authentication

Yes.  InTune has the ability to push certificate's from a CA to managed devices.  You can use these certificates to authenticate to ClearPass.  You can then also use the InTune extension in ClearPass to get more endpoint attributes from InTune to do further granular enforcement.

Original Message:
Sent: May 25, 2023 07:46 AM
From: Jer.S
Subject: Onboarding authentication

Thanks for the quick response Ahollifield,

So for my understanding, I can integrate Intune with the byod from employees in a company and push a unique certificate using Intune?

Original Message:
Sent: May 25, 2023 07:40 AM
From: ahollifield
Subject: Onboarding authentication

Yes, as long as your OnBoarding page is using HTTPS those credentials are fully encrypted with HTTPS.

I wouldn't use ClearPass OnBoard at all then.  Integrate InTune with ClearPass for endpoint data and use InTune to push the certificate and SSID settings.  No dealing with certificate trust issues, no apps to download, no captive portal, etc.

Original Message:
Sent: May 25, 2023 07:31 AM
From: Jer.S
Subject: Onboarding authentication

Well I thought that you maybe able to send the application "quickconnect app" to the user (for example using email) and let them download it. But then, after I published this topic, I realised that the user needs to be connected to the network in order to get provisioned.

But then my question is, is it secure to let the users login using their AD credentials on the 'open' guest network in order to start the device provisioning?

"Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution."

We are using Intune to enroll domain devices for the employees. But can you also add BYOD to intune? We only need it to push a unique certificate to the device in order to connect to the corp network, that's why we where looking for OnBoarding.

Original Message:
Sent: May 24, 2023 10:37 AM
From: ahollifield
Subject: Onboarding authentication

How would you provision the device if they skip the OnBoarding page?  This piece is required for BYOD AFAIK.  Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution.

Original Message:
Sent: May 24, 2023 02:30 AM
From: Jer.S
Subject: Onboarding authentication

Hello,

I have a question about the OnBoarding feature in Clearpass. We are trying to implement OnBoarding for the byod on our network. I know that there are multiple options out to implement the feature, for example by using a single SSID or dual SSID. I got some feedback already that using dual SSID is better then using a single SSID because there can be problems with the network profile configuration when using a single SSID.

My question is the following;
When does the authentication happen in the OnBoarding workflow? Is it only when the user needs to fil in the user credentials on the provisioning page? Or does the user also has to put in his or her credentials in the 'quickconnect' app after installing it? I am asking this because I want to know if it is possible to skip the part of sending users to the provisioning page. I want to send a email to al of the users to inform them about the app and that is the reason why I need to know if the users need to authenticate on the app as well. 

And is this even possible? Or do the users need to go to the provisioning page in order to onboard their device?
And is it save to let them login on the webpage using their credentials on a 'open' guest SSID for onboarding?

Kind regards,

Jer

So your answer would be to put byod over the guest SSID without having diffirent re-auth times for the user groups?

In this design you should have Corp and Guest only.  Why treat employee personal devices any different than guests if they both just get basic internet.  If the user logs in with a guest account they get 4 hours or whatever their guest username lifetime is.  If a user logins in with AD crenditals then you can cache the mac for 8 hours, 8 days, whatever you like. Using AD credentials to login into the guest portal is fully supported and fully secure (HTTPS).  There isn't a security risk doing this.  Entering AD credentials directly into a unmanaged client supplicant config for PEAP/MS-CHAPv2 is less secure (MS-CHAPv2 is broken, see MS credential guard) than entering them into a TLS protected HTTPS session.

Speaking from a wireless/RF standpoint is also not typically best practice to bandwidth limit clients.  If the client is throttled (meaning their packets are dropped) this leads to a very poor user experience and causes the applications running on that client to retransmit their traffic which can potentially lead to more traffic on the wireless network.

Original Message:
Sent: May 25, 2023 08:19 AM
From: Jer.S
Subject: Onboarding authentication

We currently have three different SSID's active for clients to connect to;
Guest SSID – internet access for guests
BYOD SSID – basically the same as the guest SSID but for unmanaged BYOD from employees with only internet access
Corp SSID – This is the SSID where the domain / managed device will connect to.

We want to redesign our network by reducing the SSID's back to two instead of three. We came across two options;
1. Guest and BYOD SSID together where guests have a re-auth time of 4 hours and employees have 8 hours and the bandwidth is a little higher for employees
2. BYOD and Corp SSID together with OnBoarding to have BYOD on the corp SSID with certificates (But still internet only for BYOD)

And I thought that the first options is a little unsecure because we need to let employees connect with their AD credentials on the guest network in order to let Clearpass know that it is an employee instead of a guest to give a longer re-auth time etc.

Original Message:
Sent: May 25, 2023 08:05 AM
From: ahollifield
Subject: Onboarding authentication

No such thing as a stupid question :) But no this isn't possible.  The device must be enrolled and managed by InTune.  What is the use-case for allowing employee personal, unknown, unmanaged devices on the network in the first place though?  Why not just use a guest portal flow rather than OnBoard?

Original Message:
Sent: May 25, 2023 07:57 AM
From: Jer.S
Subject: Onboarding authentication

Thanks,

Maybe one more stupid question. How can we add 'unmanaged' devices such as byod to Intune, is there an application out there that needs to be installed on the employee's personal devices or how does this work?

Original Message:
Sent: May 25, 2023 07:51 AM
From: ahollifield
Subject: Onboarding authentication

Yes.  InTune has the ability to push certificate's from a CA to managed devices.  You can use these certificates to authenticate to ClearPass.  You can then also use the InTune extension in ClearPass to get more endpoint attributes from InTune to do further granular enforcement.

Original Message:
Sent: May 25, 2023 07:46 AM
From: Jer.S
Subject: Onboarding authentication

Thanks for the quick response Ahollifield,

So for my understanding, I can integrate Intune with the byod from employees in a company and push a unique certificate using Intune?

Original Message:
Sent: May 25, 2023 07:40 AM
From: ahollifield
Subject: Onboarding authentication

Yes, as long as your OnBoarding page is using HTTPS those credentials are fully encrypted with HTTPS.

I wouldn't use ClearPass OnBoard at all then.  Integrate InTune with ClearPass for endpoint data and use InTune to push the certificate and SSID settings.  No dealing with certificate trust issues, no apps to download, no captive portal, etc.

Original Message:
Sent: May 25, 2023 07:31 AM
From: Jer.S
Subject: Onboarding authentication

Well I thought that you maybe able to send the application "quickconnect app" to the user (for example using email) and let them download it. But then, after I published this topic, I realised that the user needs to be connected to the network in order to get provisioned.

But then my question is, is it secure to let the users login using their AD credentials on the 'open' guest network in order to start the device provisioning?

"Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution."

We are using Intune to enroll domain devices for the employees. But can you also add BYOD to intune? We only need it to push a unique certificate to the device in order to connect to the corp network, that's why we where looking for OnBoarding.

Original Message:
Sent: May 24, 2023 10:37 AM
From: ahollifield
Subject: Onboarding authentication

How would you provision the device if they skip the OnBoarding page?  This piece is required for BYOD AFAIK.  Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution.

Original Message:
Sent: May 24, 2023 02:30 AM
From: Jer.S
Subject: Onboarding authentication

Hello,

I have a question about the OnBoarding feature in Clearpass. We are trying to implement OnBoarding for the byod on our network. I know that there are multiple options out to implement the feature, for example by using a single SSID or dual SSID. I got some feedback already that using dual SSID is better then using a single SSID because there can be problems with the network profile configuration when using a single SSID.

My question is the following;
When does the authentication happen in the OnBoarding workflow? Is it only when the user needs to fil in the user credentials on the provisioning page? Or does the user also has to put in his or her credentials in the 'quickconnect' app after installing it? I am asking this because I want to know if it is possible to skip the part of sending users to the provisioning page. I want to send a email to al of the users to inform them about the app and that is the reason why I need to know if the users need to authenticate on the app as well. 

And is this even possible? Or do the users need to go to the provisioning page in order to onboard their device?
And is it save to let them login on the webpage using their credentials on a 'open' guest SSID for onboarding?

Kind regards,

Jer

No, have both guest and employee devices on the same Open (with OWE enabled!) SSID directed to the ClearPass guest portal.  If the user logs in with a Guest account, enforce with a 4 hour re-auth.  If the user logs with an AD account then enforce with an 8 hour re-auth.

So your answer would be to put byod over the guest SSID without having diffirent re-auth times for the user groups?

In this design you should have Corp and Guest only.  Why treat employee personal devices any different than guests if they both just get basic internet.  If the user logs in with a guest account they get 4 hours or whatever their guest username lifetime is.  If a user logins in with AD crenditals then you can cache the mac for 8 hours, 8 days, whatever you like. Using AD credentials to login into the guest portal is fully supported and fully secure (HTTPS).  There isn't a security risk doing this.  Entering AD credentials directly into a unmanaged client supplicant config for PEAP/MS-CHAPv2 is less secure (MS-CHAPv2 is broken, see MS credential guard) than entering them into a TLS protected HTTPS session.

Speaking from a wireless/RF standpoint is also not typically best practice to bandwidth limit clients.  If the client is throttled (meaning their packets are dropped) this leads to a very poor user experience and causes the applications running on that client to retransmit their traffic which can potentially lead to more traffic on the wireless network.

Original Message:
Sent: May 25, 2023 08:19 AM
From: Jer.S
Subject: Onboarding authentication

We currently have three different SSID's active for clients to connect to;
Guest SSID – internet access for guests
BYOD SSID – basically the same as the guest SSID but for unmanaged BYOD from employees with only internet access
Corp SSID – This is the SSID where the domain / managed device will connect to.

We want to redesign our network by reducing the SSID's back to two instead of three. We came across two options;
1. Guest and BYOD SSID together where guests have a re-auth time of 4 hours and employees have 8 hours and the bandwidth is a little higher for employees
2. BYOD and Corp SSID together with OnBoarding to have BYOD on the corp SSID with certificates (But still internet only for BYOD)

And I thought that the first options is a little unsecure because we need to let employees connect with their AD credentials on the guest network in order to let Clearpass know that it is an employee instead of a guest to give a longer re-auth time etc.

Original Message:
Sent: May 25, 2023 08:05 AM
From: ahollifield
Subject: Onboarding authentication

No such thing as a stupid question :) But no this isn't possible.  The device must be enrolled and managed by InTune.  What is the use-case for allowing employee personal, unknown, unmanaged devices on the network in the first place though?  Why not just use a guest portal flow rather than OnBoard?

Original Message:
Sent: May 25, 2023 07:57 AM
From: Jer.S
Subject: Onboarding authentication

Thanks,

Maybe one more stupid question. How can we add 'unmanaged' devices such as byod to Intune, is there an application out there that needs to be installed on the employee's personal devices or how does this work?

Original Message:
Sent: May 25, 2023 07:51 AM
From: ahollifield
Subject: Onboarding authentication

Yes.  InTune has the ability to push certificate's from a CA to managed devices.  You can use these certificates to authenticate to ClearPass.  You can then also use the InTune extension in ClearPass to get more endpoint attributes from InTune to do further granular enforcement.

Original Message:
Sent: May 25, 2023 07:46 AM
From: Jer.S
Subject: Onboarding authentication

Thanks for the quick response Ahollifield,

So for my understanding, I can integrate Intune with the byod from employees in a company and push a unique certificate using Intune?

Original Message:
Sent: May 25, 2023 07:40 AM
From: ahollifield
Subject: Onboarding authentication

Yes, as long as your OnBoarding page is using HTTPS those credentials are fully encrypted with HTTPS.

I wouldn't use ClearPass OnBoard at all then.  Integrate InTune with ClearPass for endpoint data and use InTune to push the certificate and SSID settings.  No dealing with certificate trust issues, no apps to download, no captive portal, etc.

Original Message:
Sent: May 25, 2023 07:31 AM
From: Jer.S
Subject: Onboarding authentication

Well I thought that you maybe able to send the application "quickconnect app" to the user (for example using email) and let them download it. But then, after I published this topic, I realised that the user needs to be connected to the network in order to get provisioned.

But then my question is, is it secure to let the users login using their AD credentials on the 'open' guest network in order to start the device provisioning?

"Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution."

We are using Intune to enroll domain devices for the employees. But can you also add BYOD to intune? We only need it to push a unique certificate to the device in order to connect to the corp network, that's why we where looking for OnBoarding.

Original Message:
Sent: May 24, 2023 10:37 AM
From: ahollifield
Subject: Onboarding authentication

How would you provision the device if they skip the OnBoarding page?  This piece is required for BYOD AFAIK.  Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution.

Original Message:
Sent: May 24, 2023 02:30 AM
From: Jer.S
Subject: Onboarding authentication

Hello,

I have a question about the OnBoarding feature in Clearpass. We are trying to implement OnBoarding for the byod on our network. I know that there are multiple options out to implement the feature, for example by using a single SSID or dual SSID. I got some feedback already that using dual SSID is better then using a single SSID because there can be problems with the network profile configuration when using a single SSID.

My question is the following;
When does the authentication happen in the OnBoarding workflow? Is it only when the user needs to fil in the user credentials on the provisioning page? Or does the user also has to put in his or her credentials in the 'quickconnect' app after installing it? I am asking this because I want to know if it is possible to skip the part of sending users to the provisioning page. I want to send a email to al of the users to inform them about the app and that is the reason why I need to know if the users need to authenticate on the app as well. 

And is this even possible? Or do the users need to go to the provisioning page in order to onboard their device?
And is it save to let them login on the webpage using their credentials on a 'open' guest SSID for onboarding?

Kind regards,

Jer

One last question. Is this also possible of the guest only needs to authenticate by accepting the terms and conditions? (And the employee with AD credentials?)

No, have both guest and employee devices on the same Open (with OWE enabled!) SSID directed to the ClearPass guest portal.  If the user logs in with a Guest account, enforce with a 4 hour re-auth.  If the user logs with an AD account then enforce with an 8 hour re-auth.

So your answer would be to put byod over the guest SSID without having diffirent re-auth times for the user groups?

In this design you should have Corp and Guest only.  Why treat employee personal devices any different than guests if they both just get basic internet.  If the user logs in with a guest account they get 4 hours or whatever their guest username lifetime is.  If a user logins in with AD crenditals then you can cache the mac for 8 hours, 8 days, whatever you like. Using AD credentials to login into the guest portal is fully supported and fully secure (HTTPS).  There isn't a security risk doing this.  Entering AD credentials directly into a unmanaged client supplicant config for PEAP/MS-CHAPv2 is less secure (MS-CHAPv2 is broken, see MS credential guard) than entering them into a TLS protected HTTPS session.

Speaking from a wireless/RF standpoint is also not typically best practice to bandwidth limit clients.  If the client is throttled (meaning their packets are dropped) this leads to a very poor user experience and causes the applications running on that client to retransmit their traffic which can potentially lead to more traffic on the wireless network.

Original Message:
Sent: May 25, 2023 08:19 AM
From: Jer.S
Subject: Onboarding authentication

We currently have three different SSID's active for clients to connect to;
Guest SSID – internet access for guests
BYOD SSID – basically the same as the guest SSID but for unmanaged BYOD from employees with only internet access
Corp SSID – This is the SSID where the domain / managed device will connect to.

We want to redesign our network by reducing the SSID's back to two instead of three. We came across two options;
1. Guest and BYOD SSID together where guests have a re-auth time of 4 hours and employees have 8 hours and the bandwidth is a little higher for employees
2. BYOD and Corp SSID together with OnBoarding to have BYOD on the corp SSID with certificates (But still internet only for BYOD)

And I thought that the first options is a little unsecure because we need to let employees connect with their AD credentials on the guest network in order to let Clearpass know that it is an employee instead of a guest to give a longer re-auth time etc.

Original Message:
Sent: May 25, 2023 08:05 AM
From: ahollifield
Subject: Onboarding authentication

No such thing as a stupid question :) But no this isn't possible.  The device must be enrolled and managed by InTune.  What is the use-case for allowing employee personal, unknown, unmanaged devices on the network in the first place though?  Why not just use a guest portal flow rather than OnBoard?

Original Message:
Sent: May 25, 2023 07:57 AM
From: Jer.S
Subject: Onboarding authentication

Thanks,

Maybe one more stupid question. How can we add 'unmanaged' devices such as byod to Intune, is there an application out there that needs to be installed on the employee's personal devices or how does this work?

Original Message:
Sent: May 25, 2023 07:51 AM
From: ahollifield
Subject: Onboarding authentication

Yes.  InTune has the ability to push certificate's from a CA to managed devices.  You can use these certificates to authenticate to ClearPass.  You can then also use the InTune extension in ClearPass to get more endpoint attributes from InTune to do further granular enforcement.

Original Message:
Sent: May 25, 2023 07:46 AM
From: Jer.S
Subject: Onboarding authentication

Thanks for the quick response Ahollifield,

So for my understanding, I can integrate Intune with the byod from employees in a company and push a unique certificate using Intune?

Original Message:
Sent: May 25, 2023 07:40 AM
From: ahollifield
Subject: Onboarding authentication

Yes, as long as your OnBoarding page is using HTTPS those credentials are fully encrypted with HTTPS.

I wouldn't use ClearPass OnBoard at all then.  Integrate InTune with ClearPass for endpoint data and use InTune to push the certificate and SSID settings.  No dealing with certificate trust issues, no apps to download, no captive portal, etc.

Original Message:
Sent: May 25, 2023 07:31 AM
From: Jer.S
Subject: Onboarding authentication

Well I thought that you maybe able to send the application "quickconnect app" to the user (for example using email) and let them download it. But then, after I published this topic, I realised that the user needs to be connected to the network in order to get provisioned.

But then my question is, is it secure to let the users login using their AD credentials on the 'open' guest network in order to start the device provisioning?

"Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution."

We are using Intune to enroll domain devices for the employees. But can you also add BYOD to intune? We only need it to push a unique certificate to the device in order to connect to the corp network, that's why we where looking for OnBoarding.

Original Message:
Sent: May 24, 2023 10:37 AM
From: ahollifield
Subject: Onboarding authentication

How would you provision the device if they skip the OnBoarding page?  This piece is required for BYOD AFAIK.  Also are you sure you want to go down the OnBoard route?  You would be much happier with an MDM solution.

Original Message:
Sent: May 24, 2023 02:30 AM
From: Jer.S
Subject: Onboarding authentication

Hello,

I have a question about the OnBoarding feature in Clearpass. We are trying to implement OnBoarding for the byod on our network. I know that there are multiple options out to implement the feature, for example by using a single SSID or dual SSID. I got some feedback already that using dual SSID is better then using a single SSID because there can be problems with the network profile configuration when using a single SSID.

My question is the following;
When does the authentication happen in the OnBoarding workflow? Is it only when the user needs to fil in the user credentials on the provisioning page? Or does the user also has to put in his or her credentials in the 'quickconnect' app after installing it? I am asking this because I want to know if it is possible to skip the part of sending users to the provisioning page. I want to send a email to al of the users to inform them about the app and that is the reason why I need to know if the users need to authenticate on the app as well. 

And is this even possible? Or do the users need to go to the provisioning page in order to onboard their device?
And is it save to let them login on the webpage using their credentials on a 'open' guest SSID for onboarding?

Kind regards,

Jer