Introduction : Method to check if the user's submitted certificate Common name is valid with the AAA server, when EAP termination is on the controller.
Feature Notes : This document is tested and written based on AOS 6.4.0.
Environment : EAP TLS Authentication - Client has a certificate issued for it - EAP termination on controller - CPPM as the Radius server.
Network Topology :
Configuration Steps :
In the Dot1x profile, ensure that termination is enable and EAP-TLS is selected. Server cert and CA cert to be uploaded and mapped.
option of "Check Certificate Common name against AAA server" is selected.
Answer:
Enabling "check certificate common name against AAA server" will trigger a validation against the configured AAA server.
Verification :
From Auth-trace buf one should be able to see that the controller is validating User CN against the Radius server.
Troubleshooting :
We can check the authentication process in "show log security".