Introduction : Method to check if the user's submitted certificate Common name is valid with the AAA server, when EAP termination is on the controller.
Feature Notes : This document is tested and written based on AOS 6.4.0.
Environment : EAP TLS Authentication - Client has a certificate issued for it - EAP termination on controller - CPPM as the Radius server.
Network Topology :
Configuration Steps :
In the Dot1x profile, ensure that termination is enable and EAP-TLS is selected. Server cert and CA cert to be uploaded and mapped.
option of "Check Certificate Common name against AAA server" is selected.
Enabling "check certificate common name against AAA server" will trigger a validation against the configured AAA server.
From Auth-trace buf one should be able to see that the controller is validating User CN against the Radius server.
We can check the authentication process in "show log security".