Re-Provisioning A Device; Network Requirements For Onboard; Using Same Ssid For Provisioning And Provisioned Networks; Using Different Ssid For Provisioning And Provisioned Networks - Dell Powerconnect W-ClearPass Hardware Appliances Deployment Manual

Re-Provisioning a Device

Because "bring your own" devices are not under the complete control of the network administrator, it is possible for
unexpected configuration changes to occur on a provisioned device.
For example, the user may delete the configuration profile containing the settings for the provisioned network,
instruct the device to forget the provisioned network settings, or reset the device to factory defaults and destroy all
the configuration on the device.
When these events occur, the user will not be able to access the provisioned network and will need to re-provision
their device.
The Onboard server detects a device that is being re-provisioned and prompts the user to take a suitable action
(such as connecting to the appropriate network). If this is not possible, the user may choose to restart the
provisioning process and re-provision the device.
Re-provisioning a device will reuse an existing TLS client certificate or unique device credentials, if these credentials
are still valid.
If the TLS client certificate has expired then the device will be issued a new certificate. This enables re-provisioning
to occur on a regular basis.
If the TLS client certificate has been revoked, then the device will not be permitted to re-provision. The revoked
certificate must be deleted before the device is able to be provisioned.

Network Requirements for Onboard

For complete functionality to be achieved, Dell Networking W-ClearPass Onboard has certain requirements that
must be met by the provisioning network and the provisioned network:
The provisioning network must use a captive portal or other method to redirect a new device to the device
l
provisioning page.
The provisioning server (Onboard server) must have an SSL certificate that is trusted by devices that will be
l
provisioned. In practice, this means a commercial SSL certificate is required.
The provisioned network
l
must support EAP-TLS and PEAP-MSCHAPv2 authentication methods.
l
The provisioned network must support either OCSP or CRL checks to detect when a device has been revoked
l
and deny access to the network.

Using Same SSID for Provisioning and Provisioned Networks

To configure a single SSID to support both provisioned and non-provisioned devices, use the following guidelines:
Configure the network to use both PEAP and EAP-TLS authentication methods.
l
When a user authenticates via PEAP with their domain credentials, place them into a provisioning role.
l
The provisioning role should have limited network access and a captive portal that redirects users to the device
l
provisioning page.
When a user authenticates via PEAP with unique device credentials, place them into a provisioned role.
l
When a user authenticates via EAP-TLS using an Onboard client certificate, place them into a provisioned role.
l
For provisioned devices, additional authorization steps can be taken after authentication has completed to
determine the appropriate provisioned role.

Using Different SSID for Provisioning and Provisioned Networks

To configure dual SSIDs to support provisioned devices on one network, and non-provisioned devices on a separate
network, use the following guidelines:
Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Re-Provisioning a Device | 71