Introduction- Starting from 6.4 we have an option to send expiry notification for Onboarded users beginning from 4 weeks prior to expiry. That would need the Email attribute to be included within the certificate. This article helps us configure our Onboard authorization service to include the email address within the client certificate for AD and Guest Users.
Environment- This configuration has been tested and found to be working in ClearPass version 6.4.3
Configuration Steps- To start with, the setting that you need to enable for sending notification to Onboarded users before certificate expiry is under Onboard>>Provisioning Settings>>General.
When we go through the Service templates and create a service for Onboard it creates two services of type application along with the dot1x service one for Pre-Auth and the other for Onboard Authorizaation. The changes that we are going to do would be on the Onboard Authorization service. We are going to cover the config steps to include email in the certificate for both AD and Guest Users
For AD Users
When you configure an AD auth source the Email attribute is fetched as part of the default attributes
We need to make use of this attribute and return it while authorizing an AD user. We need to configure an enforcement profile for that.
In this case the name of the AD auth source is "Lab AD" you can replace that with the name of the AD source configured.
We can return this as an enforcement profile in our Onboard Authorization service for all users who have an email attribute attached to their AD account. Make sure you add the AD as an authorization source
Once we configure this the email address of the user would be returned as an attribute for the authorization request
This would result in the email address being included in the certificate and the expiry notification would be delivered to the user.
Guest Users
We would not fetch the Email attribute automatically as a part of authorization attributes for Guests, we need to put in a custom SQL query which helps us fetch their email as a part of Guest authorization.
In Guest User Repository we need to add an additional filter that fetches the email for us.
Put in this SQL Query in the Filter Query Column
select t2.tag_value AS GuestUser_Email
FROM tips_guest_users g
LEFT JOIN tips_guest_user_tag_mappings t1 ON (g.id = t1.instance_id)
LEFT JOIN tips_tag_values t2 ON (t1.tag_value_id = t2.id)
WHERE (g.guest_type = 'USER')
AND (g.user_id = '%{Authentication:Username}')
AND (t2.tag_id = (SELECT id FROM tips_tag_definitions WHERE name = 'Email' AND entity_id = (SELECT id FROM tips_dic_internal WHERE dic_prefix = 'GuestUser')));
Now that we configured this filter we could start using Guest-User-Email as an authorization attribute and write its value to the cert.
We need to create an enforcement profile similar to what we did for AD Users on Guest Users also.
and enforce that for all Guest Users with an email address
Once we do that we should be able to observe the email address being returned even for Guest Users during Onboard authorization.
and us returning the email to write it on to the certificate
Similar to AD Users, certificates created from Guest Accounts would also have their certificate hardcoded with the email address
Verification- We can verify the above setup by following the above configuration steps and Onboard with an AD account and Guest account and in both cases we should see the certificate containing the email address.