Deployment Guide
This is necessary to prevent the user from simply re-provisioning and obtaining a new certificate. To re-provision the
device, the revoked certificate must be deleted.
If the device is provisioned with an EAP-TLS client certificate, revoking the certificate will cause the certificate
authority to update the certificate’s state. When the certificate is next used for authentication, it will be recognized
as a revoked certificate and the device will be denied access.
NOTE: When using EAP-TLS authentication, you must configure your authentication server to use either OCSP or CRL to check the
revocation status of a client certificate. OCSP is recommended as it offers a real-time status update for certificates. If the device is
provisioned with PEAP unique device credentials, revoking the certificate will automatically delete the unique username and
password associated with the device. When this username is next used for authentication, it will not be recognized as valid and the
device will be denied access.
NOTE: OCSP and CRL are not used when using PEAP unique device credentials. The ClearPass Onboard server automatically
updates the status of the username when the device's client certificate is revoked.
Re-Provisioning a Device
Because “bring your own” devices are not under the complete control of the network administrator, it is possible for
unexpected configuration changes to occur on a provisioned device.
For example, the user may delete the configuration profile containing the settings for the provisioned network,
instruct the device to forget the provisioned network settings, or reset the device to factory defaults and destroy all
the configuration on the device.
When these events occur, the user will not be able to access the provisioned network and will need to re-provision
their device.
The Onboard server detects a device that is being re-provisioned and prompts the user to take a suitable action
(such as connecting to the appropriate network). If this is not possible, the user may choose to restart the
provisioning process and re-provision the device.
Re-provisioning a device will reuse an existing TLS client certificate or unique device credentials, if these credentials
are still valid.
If the TLS client certificate has expired then the device will be issued a new certificate. This enables re-provisioning
to occur on a regular basis.
If the TLS client certificate has been revoked, then the device will not be permitted to re-provision. The revoked
certificate must be deleted before the device is able to be provisioned.
Network Requirements for Onboard
For complete functionality to be achieved, Dell Networking W-ClearPass Onboard has certain requirements that
must be met by the provisioning network and the provisioned network:
l The provisioning network must use a captive portal or other method to redirect a new device to the device
provisioning page.
l The provisioning server (Onboard server) must have an SSL certificate that is trusted by devices that will be
provisioned. In practice, this means a commercial SSL certificate is required.
l The provisioned network must support EAP-TLS and PEAP-MSCHAPv2 authentication methods.
l The provisioned network must support either OCSP or CRL checks to detect when a device has been revoked
and deny access to the network.
Using Same SSID for Provisioning and Provisioned Networks
To configure a single SSID to support both provisioned and non-provisioned devices, use the following guidelines:
Dell Networking W-ClearPass Guest 6.1 | Deployment Guide Onboard | 75