Security

Reply
Contributor II
Posts: 53
Registered: ‎10-01-2013

802.1x and Windows CA question

Hello,

I have a working setup with Aruba controller and clearpass 802.1x and EAP-TLS.

Now I say working, with modifications. 

The client have gone ahead and changed the UPN field in AD to the users email address, and there fore generated user certificates fails authentication against AD because it uses the email address as username. AD can't find the account.

There are some ways around using user certificates, like Clearpass as Int CA, machine only authentication and so on.

However I wondered if anyone have any experience of trying to use the sAMAccountName as subject name?

 

Either in the teimplate directly, or as a interaction between "prodived in the request" option in the certificate template, and Group policy. 

 

 

Guru Elite
Posts: 8,191
Registered: ‎09-08-2010

Re: 802.1x and Windows CA question

Did you try stripping the domain in your service under the authentication tab?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 53
Registered: ‎10-01-2013

Re: 802.1x and Windows CA question

Hello,

yea I tried that, but it does no good.

Example. We have a user named John Smith, and AD domain is Contoso. His account name would be something like Contoso\josm.

At the same time his email address is John.Smith@contoso.com.

Normally the UPN in AD would be josm (account name), now they have changed it to email address john.smith@contoso.com

The issued user certificate now have alternative subject name john.smith@contoso.com, and this will be the username I see the computer tries to authenticate with through EAP-TLS. Now I can strip the domain, and be left with john.smith, but AD still don't know any account named john.smith, it knows about josm, or contoso\josm.

 

To me it looks like a bad idea to change the UPN, since any solution using certificates as user authentication towards AD would face the same issue. Unless there is a way to use the sAMAccount as SAN field through the certificate template.

 

Contributor II
Posts: 53
Registered: ‎10-01-2013

Re: 802.1x and Windows CA question

To answer myself on this and possibly help others, I found a solution in this post: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/CPPM-AD-Authentication-Through-Multiple-Domains/m-p/53480/highlight/true#M4294

 

I added the AD as Authentication source 2 times into Clearpass, and one does auhtentication based on the sAMAccount name as pr default, and the second one uses the userPrincipalName as username by modifying the Filter attribute.  

Now I can just add both authetntication sources to the service, and if the user is not found in the first one, it tries the next source, and that way I can use both SAM or UPN.

Search Airheads
Showing results for 
Search instead for 
Did you mean: