How to add custom attributes to the Client Certificate during Onboard
We can make use of Custom field settings in the Onboard provisioning web-login page to achieve this requirement. This may be useful when you are using a guest account for Onboard and wanted to differentiate access, based on their guest role(Since guest role_id will not be available in EAP TLS Onboard authentication).
We can also use any available field in ClearPass Guest, to add them into client certificates and create enforcement profiles for differentiated access.
Navigate to ClearPass Guest --> Onboard --> Deployment and Provisioning Settings --> Web Login. Under Login Form, we have the option Custom Fields. When we click inside, we would see the list of all the fields available as a drop down. We can select and can proceed to save the provisioning settings.
We could also create new fields in ClearPass Guest by navigating to ClearPass Guest --> Configuration --> Pages --> Fields --> Create new field, which would then show up under Custom fields drop-down in the Onboard Provisioning settings. This field will then be included in the client certificate as one of the value under Subject Alternative Name AV pair.
For instance, I've included a field named 'Room NUmber' and included it in the custom field in the provisioning settings.
The Onboard Login page will look like the one below:
Choose the appropriate value for Room Name field during provisioning process. The Client certificate will then have this value in one of OIDs under Subject Alternative Name as shown below.
We can then create Enforcement profile to restrict access as shown below: