Administrator Guide
If the device is provisioned with an EAP-TLS client certificate, revoking the certificate will cause the certificate
authority to update the certificate’s state. When the certificate is next used for authentication, it will be
recognized as a revoked certificate and the device will be denied access.
When using EAP-TLS authentication, you must configure your authentication server to use either OCSP or CRL to
check the revocation status of a client certificate. OCSP is recommended as it offers a real-time status update for
certificates. If the device is provisioned with PEAP unique device credentials, revoking the certificate will
automatically delete the unique username and password associated with the device. When this username is next
used for authentication, it will not be recognized as valid and the device will be denied access.
OCSP and CRL are not used when using PEAP unique device credentials. The W-ClearPass Onboard server
automatically updates the status of the username when the device's client certificate is revoked.
Re-Provisioning a Device
Because “bring your own” devices are not under the complete control of the network administrator, it is
possible for unexpected configuration changes to occur on a provisioned device.
For example, the user may delete the configuration profile containing the settings for the provisioned network,
instruct the device to forget the provisioned network settings, or reset the device to factory defaults and
destroy all the configuration on the device.
When these events occur, the user will not be able to access the provisioned network and will need to re-
provision their device.
The Onboard server detects a device that is being re-provisioned and prompts the user to take a suitable action
(such as connecting to the appropriate network). If this is not possible, the user may choose to restart the
provisioning process and re-provision the device.
Re-provisioning a device will reuse an existing TLS client certificate or unique device credentials, if these
credentials are still valid.
If the TLS client certificate has expired then the device will be issued a new certificate. This enables re-
provisioning to occur on a regular basis.
A new certificate is generated when any of the following conditions occur:
l The key is set to be created by the device
l The fields in the certificate change
l The previous certificate has only 25% of its validity period remaining
Network Requirements for Onboard
To achieve complete functionality, Dell Networking W-ClearPass Onboard has certain requirements that must
be met by the provisioning network and the provisioned network:
l The provisioning network must use a captive portal or other method to redirect a new device to the device
provisioning page.
l The provisioning server (Onboard server) must have an SSL certificate that is trusted by devices that will be
provisioned. In practice, this means a commercial SSL certificate is required.
l The provisioned network must support EAP-TLS and PEAP-MSCHAPv2 authentication methods.
l The provisioned network must support either OCSP or CRL checks to detect when a device has been
revoked and deny access to the network.
Dell Networking W-ClearPass Guest 6.6 | User Guide Onboard | 103