06-15-2020 01:26 AM
Hi,
We are going to implement a NAC project with multiple AD Domain for which we will authenticate machines and users with EAP-TLS.
Each domain will have its own CA.
The network will be a SD Access network managed by a DNA center
We have made some tests with the different domains and things are working fine.We are able to assign the corect VNI / IP Pool and SGT for each kind of endpoint/user
But in our tests, endpoints are already provisionned with required certificates (Root CA, machine certificate and user certificate), and the network adapter is also manually configured for EAP-TLS.
The question is, what is the best way to get an easy onboarding of the machine/user on day 0 when they are going to connect the first time to the network?
What about computer imaging? Will this include user certificate?
We can think of a staging area where user can onboard, reinstall their computer but we are looking for a more elegant solution
Do you have some experience to share with this?
Thanks
06-15-2020 01:38 AM
Hi,
Actually the question is for the windows team person.
They have a create a group policy for the machine and user certificate to auto-enroll with automatically.
Also when having near expiry they will need to auto-generate and issue a new certificate as well.
Thanks and Regards
06-15-2020 07:21 AM
06-15-2020 08:21 PM
There are various caveats around PC build/onboarding in a NAC environment. The easiest solution by far would be to have a separate staging environment. See the posts below discussing related topics around this.
PC Imaging on NAC secured ports
ISE Deployment EAP-TLS Machine or User Certificates Native Supplicant
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: