Manualshelf

User's Manual

ManualsBrandsDell ManualsComputer equipmentPowerconnect W-ClearPass Hardware Appliances
81828384858687888990
Re-Provisioning a Device
Because bring your own” devices are not under the complete control of the network administrator, it is
possible for unexpected configuration changes to occur on a provisioned device.
For example, the user may delete the configuration profile containing the settings for the provisioned network,
instruct the device to forget the provisioned network settings, or reset the device to factory defaults and
destroy all the configuration on the device.
When these events occur, the user will not be able to access the provisioned network and will need to re-
provision their device.
The Onboard server detects a device that is being re-provisioned and prompts the user to take a suitable action
(such as connecting to the appropriate network). If this is not possible, the user may choose to restart the
provisioning process and re-provision the device.
Re-provisioning a device will reuse an existing TLS client certificate or unique device credentials, if these
credentials are still valid.
If the TLS client certificate has expired then the device will be issued a new certificate. This enables re-
provisioning to occur on a regular basis.
If the TLS client certificate has been revoked, then the device will not be permitted to re-provision. The revoked
certificate must be deleted before the device is able to be provisioned.
Network Requirements for Onboard
To achieve complete functionality, Dell Networking W-ClearPass Onboard has certain requirements that must
be met by the provisioning network and the provisioned network:
l The provisioning network must use a captive portal or other method to redirect a new device to the device
provisioning page.
l The provisioning server (Onboard server) must have an SSL certificate that is trusted by devices that will be
provisioned. In practice, this means a commercial SSL certificate is required.
l The provisioned network must support EAP-TLS and PEAP-MSCHAPv2 authentication methods.
l The provisioned network must support either OCSP or CRL checks to detect when a device has been
revoked and deny access to the network.
Using Same SSID for Provisioning and Provisioned Networks
To configure a single SSID to support both provisioned and non-provisioned devices, use the following
guidelines:
l Configure the network to use both PEAP and EAP-TLS authentication methods.
l When a user authenticates via PEAP with their domain credentials, place them into a provisioning role.
l The provisioning role should have limited network access and a captive portal that redirects users to the
device provisioning page.
l When a user authenticates via PEAP with unique device credentials, place them into a provisioned role.
l When a user authenticates via EAP-TLS using an Onboard client certificate, place them into a provisioned
role.
For provisioned devices, additional authorization steps can be taken after authentication has completed to
determine the appropriate provisioned role.
Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 87