Connectivity Guide
This is necessary to prevent the user from simply re-provisioning and obtaining a new certificate. To re-provision the
device, the revoked certificate must be deleted.
If the device is provisioned with an EAP-TLS client certificate, revoking the certificate will cause the certificate
authority to update the certificateās state. When the certificate is next used for authentication, it will be recognized as a
revoked certificate and the device will be denied access.
When using EAP-TLS authentication, you must configure your authentication server to use either OCSP or CRL to check
the revocation status of a client certificate. OCSP is recommended as it offers a real-time status update for certificates. If
the device is provisioned with PEAP unique device credentials, revoking the certificate will automatically delete the
unique username and password associated with the device. When this username is next used for authentication, it will
not be recognized as valid and the device will be denied access.
OCSP and CRL are not used when using PEAP unique device credentials. The ClearPass Onboard server
automatically updates the status of the username when the device's client certificate is revoked.
Re-Provisioning a Device
Because ābring your ownā devices are not under the complete control of the network administrator, it is possible for
unexpected configuration changes to occur on a provisioned device.
For example, the user may delete the configuration profile containing the settings for the provisioned network, instruct
the device to forget the provisioned network settings, or reset the device to factory defaults and destroy all the
configuration on the device.
When these events occur, the user will not be able to access the provisioned network and will need to re-provision
their device.
The Onboard server detects a device that is being re-provisioned and prompts the user to take a suitable action (such as
connecting to the appropriate network). If this is not possible, the user may choose to restart the provisioning process
and re-provision the device.
Re-provisioning a device will reuse an existing TLS client certificate or unique device credentials, if these credentials
are still valid.
If the TLS client certificate has expired then the device will be issued a new certificate. This enables re-provisioning to
occur on a regular basis.
If the TLS client certificate has been revoked, then the device will not be permitted to re-provision. The revoked
certificate must be deleted before the device is able to be provisioned.
Network Requirements for Onboard
For complete functionality to be achieved, Dell Networking W-ClearPass Onboard has certain requirements that must
be met by the provisioning network and the provisioned network:
l The provisioning network must use a captive portal or other method to redirect a new device to the device
provisioning page.
l The provisioning server (Onboard server) must have an SSL certificate that is trusted by devices that will be
provisioned. In practice, this means a commercial SSL certificate is required.
l The provisioned network must support EAP-TLS and PEAP-MSCHAPv2 authentication methods.
l The provisioned network must support either OCSP or CRL checks to detect when a device has been revoked and
deny access to the network.
Using Same SSID for Provisioning and Provisioned Networks
To configure a single SSID to support both provisioned and non-provisioned devices, use the following guidelines:
Dell Networking W-ClearPass Guest 6.2 | User Guide Onboard + WorkSpace | 73