06-15-2020 01:26 AM
Hi,
We are going to implement a NAC project with multiple AD Domain for which we will authenticate machines and users with EAP-TLS.
Each domain will have its own CA.
The network will be a SD Access network managed by a DNA center
We have made some tests with the different domains and things are working fine.We are able to assign the corect VNI / IP Pool and SGT for each kind of endpoint/user
But in our tests, endpoints are already provisionned with required certificates (Root CA, machine certificate and user certificate), and the network adapter is also manually configured for EAP-TLS.
The question is, what is the best way to get an easy onboarding of the machine/user on day 0 when they are going to connect the first time to the network?
What about computer imaging? Will this include user certificate?
We can think of a staging area where user can onboard, reinstall their computer but we are looking for a more elegant solution
Do you have some experience to share with this?
Thanks
06-15-2020 01:38 AM
Hi,
Actually the question is for the windows team person.
They have a create a group policy for the machine and user certificate to auto-enroll with automatically.
Also when having near expiry they will need to auto-generate and issue a new certificate as well.
Thanks and Regards
06-15-2020 07:21 AM
06-15-2020 08:21 PM
There are various caveats around PC build/onboarding in a NAC environment. The easiest solution by far would be to have a separate staging environment. See the posts below discussing related topics around this.
PC Imaging on NAC secured ports
ISE Deployment EAP-TLS Machine or User Certificates Native Supplicant
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide