Aruba ClearPass Onboarding - BYOD

Onboarding and Bring Your Own Device (BYOD)

Understanding Onboarding Process

• Navid introduces the concept of onboarding, specifically in the context of Bring Your Own Device (BYOD), where users connect to a network using their credentials.

• After initial connection, a certificate is generated for each device, establishing a one-to-one relationship between the user and their devices.

• The onboarding process transitions from EAP (Extensible Authentication Protocol) to EAP-TLS (Transport Layer Security), ensuring secure communication.

Steps in the Onboarding Process

• Users can initiate onboarding through various interfaces, such as clicking on "onboard" or accessing it via the network manager.

• Devices are listed in an onboarding repository along with their certificates, allowing administrators to check if devices need re-importing or fresh onboarding.

Certificate Authority Configuration

• Navid discusses creating a new Certificate Authority (CA), which will not integrate with other systems but will serve local needs.

• Details about the CA are provided; options include editing or deleting existing configurations within this lab environment.

Authentication Method Settings

• The importance of specifying OCSP (Online Certificate Status Protocol) during client access is highlighted for real-time certificate validation.

• Modifications to authentication methods are discussed, including creating copies of default settings without overriding client-sent data.

Network Settings Configuration

• The process involves building settings for quick connections that install certificates and configure wireless profiles on client machines.

Employee Secure Wireless Configuration Process

Creating the Configuration Profile

• The speaker discusses the intention to create a new configuration profile named "employee secure Wireless," utilizing previously established settings.

• They confirm that two out of three steps in the process have been completed, emphasizing the importance of these settings for multiple SSIDs.

Provisioning Settings Setup

• A new provisioning setting is introduced, titled "employee secure device provisioning," with a focus on using their own certification authority.

• The speaker mentions selecting the correct certificate authority for onboarding and adjusting key types for performance optimization.

Web Login and Certificate Validation

• Discussion about web login redirects clients to a specific page, which will be part of the onboarding process.

• The validation certificate is set to not validate for lab purposes, although normally it would be validated.

Completing Onboarding Process Steps

• The speaker summarizes completing all three parts of the onboarding process: network settings, configuration profile, and provisioning settings.

• They transition to creating onboard services within ClearPass Policy Manager using templates.

Service Creation and Enforcement Policies

• Three different services are created based on enforcement policies; details include authorization processes and pre-authentication steps before client connection.

• Emphasis on profiling devices during onboarding as clients initially connect with EAPIP before transitioning through various authentication methods.

Modifications for Lab Environment

• Adjustments are made to remove guest access from authorization services in favor of local user repositories.

• Further modifications involve enabling OCSP (Online Certificate Status Protocol), ensuring proper service connections without guest access.

Finalizing Onboarding Services

• The final adjustments include ensuring correct URLs for online certificate services while maintaining local user repository configurations.

Service Configuration and User Onboarding Process

Adjusting Service Order

• The speaker discusses the need to prioritize certain services by moving them to the top of the list for better visibility and access.

• A service related to One X Authentication is identified as unnecessary, prompting a decision to disable it for safety.

Exploring Enforcement Profiles

• The focus shifts to enforcement profiles, with three pre-provisioning profiles created automatically for user onboarding.

• The BYOD role assigned by ClearPass during initial connections to a secure SSID is highlighted, which will be communicated back to the mobility controller.

Post-Onboarding User Role

• After onboarding, users are assigned an authenticated role that allows unrestricted access within the network.

• Emphasis is placed on configuring the mobility controller correctly so that users can be redirected appropriately during re-onboarding attempts.

Configuring Redirection URL

• The configuration process involves specifying a URL for redirection during user onboarding, specifically pointing to device_provisioning_2.php.

• The speaker copies the fully qualified domain name into the configuration settings for ease of use in redirecting users effectively.

Verifying Role Mapping and Testing Onboarding

• It’s confirmed that the BYOD role is linked correctly with a captive portal necessary for onboarding processes.

• A test of the client connection reveals successful assignment of pre-provisioning roles upon connecting through wireless services.

Access Tracker Insights

• Upon accessing ClearPass's tracker, it shows that clients connect as contract users under employee wireless onboarding provisioning services.

Onboarding Process Overview

Initial Setup and Configuration

• The onboarding process begins with the Quick Connect setup, which applies all settings configured during the onboarding phase.

• A warning appears regarding an untrusted certificate on the machine; the user opts to accept this warning to proceed.

Connection Attempts and User Authentication

• The access tracker shows that a contract user initially connects using EBT Ms chap, invoking application-based services for onboarding.

• Users can view certificates associated with their usernames, indicating two different machines connected for one specific user.

Certificate Management

• Each user has two certificates (one per machine), with details available for review. The type of certificate is identified as DLS client.

• After devices are onboarded, authentication methods such as aptls are confirmed, allowing users to check accounting details and input attributes.

Output and User Role Verification

• Various options (e.g., option 55, option 60) are discussed in terms of output sent back to the controller after user authentication.

• The command confirms that users are authenticated, displaying roles assigned to them along with MAC addresses and tunneling mode information.

Conclusion of Onboarding Steps