This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
We are going to implement a NAC project with multiple AD Domain for which we will authenticate machines and users with EAP-TLS.
Each domain will have its own CA.
The network will be a SD Access network managed by a DNA center
We have made some tests with the different domains and things are working fine.We are able to assign the corect VNI / IP Pool and SGT for each kind of endpoint/user
But in our tests, endpoints are already provisionned with required certificates (Root CA, machine certificate and user certificate), and the network adapter is also manually configured for EAP-TLS.
The question is, what is the best way to get an easy onboarding of the machine/user on day 0 when they are going to connect the first time to the network?
What about computer imaging? Will this include user certificate?
We can think of a staging area where user can onboard, reinstall their computer but we are looking for a more elegant solution
Do you have some experience to share with this?
Actually the question is for the windows team person.
They have a create a group policy for the machine and user certificate to auto-enroll with automatically.
Also when having near expiry they will need to auto-generate and issue a new certificate as well.
Thanks and Regards
There are various caveats around PC build/onboarding in a NAC environment. The easiest solution by far would be to have a separate staging environment. See the posts below discussing related topics around this.