Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

802.1x and Windows CA question

This thread has been viewed 2 times

  • 1.  802.1x and Windows CA question

    Posted Jun 19, 2014 05:32 AM

    Hello,

    I have a working setup with Aruba controller and clearpass 802.1x and EAP-TLS.

    Now I say working, with modifications. 

    The client have gone ahead and changed the UPN field in AD to the users email address, and there fore generated user certificates fails authentication against AD because it uses the email address as username. AD can't find the account.

    There are some ways around using user certificates, like Clearpass as Int CA, machine only authentication and so on.

    However I wondered if anyone have any experience of trying to use the sAMAccountName as subject name?

     

    Either in the teimplate directly, or as a interaction between "prodived in the request" option in the certificate template, and Group policy. 

     

     



  • 2.  RE: 802.1x and Windows CA question

    EMPLOYEE
    Posted Jun 19, 2014 07:01 AM
    Did you try stripping the domain in your service under the authentication tab?


  • 3.  RE: 802.1x and Windows CA question

    Posted Jun 19, 2014 07:29 AM

    Hello,

    yea I tried that, but it does no good.

    Example. We have a user named John Smith, and AD domain is Contoso. His account name would be something like Contoso\josm.

    At the same time his email address is John.Smith@contoso.com.

    Normally the UPN in AD would be josm (account name), now they have changed it to email address john.smith@contoso.com

    The issued user certificate now have alternative subject name john.smith@contoso.com, and this will be the username I see the computer tries to authenticate with through EAP-TLS. Now I can strip the domain, and be left with john.smith, but AD still don't know any account named john.smith, it knows about josm, or contoso\josm.

     

    To me it looks like a bad idea to change the UPN, since any solution using certificates as user authentication towards AD would face the same issue. Unless there is a way to use the sAMAccount as SAN field through the certificate template.

     



  • 4.  RE: 802.1x and Windows CA question
    Best Answer

    Posted Jul 03, 2014 07:18 AM

    To answer myself on this and possibly help others, I found a solution in this post: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/CPPM-AD-Authentication-Through-Multiple-Domains/m-p/53480/highlight/true#M4294

     

    I added the AD as Authentication source 2 times into Clearpass, and one does auhtentication based on the sAMAccount name as pr default, and the second one uses the userPrincipalName as username by modifying the Filter attribute.  

    Now I can just add both authetntication sources to the service, and if the user is not found in the first one, it tries the next source, and that way I can use both SAM or UPN.