06-19-2014 02:32 AM
I have a working setup with Aruba controller and clearpass 802.1x and EAP-TLS.
Now I say working, with modifications.
The client have gone ahead and changed the UPN field in AD to the users email address, and there fore generated user certificates fails authentication against AD because it uses the email address as username. AD can't find the account.
There are some ways around using user certificates, like Clearpass as Int CA, machine only authentication and so on.
However I wondered if anyone have any experience of trying to use the sAMAccountName as subject name?
Either in the teimplate directly, or as a interaction between "prodived in the request" option in the certificate template, and Group policy.
Solved! Go to Solution.
06-19-2014 04:29 AM
yea I tried that, but it does no good.
Example. We have a user named John Smith, and AD domain is Contoso. His account name would be something like Contoso\josm.
At the same time his email address is John.Smith@contoso.com.
Normally the UPN in AD would be josm (account name), now they have changed it to email address firstname.lastname@example.org
The issued user certificate now have alternative subject name email@example.com, and this will be the username I see the computer tries to authenticate with through EAP-TLS. Now I can strip the domain, and be left with john.smith, but AD still don't know any account named john.smith, it knows about josm, or contoso\josm.
To me it looks like a bad idea to change the UPN, since any solution using certificates as user authentication towards AD would face the same issue. Unless there is a way to use the sAMAccount as SAN field through the certificate template.
07-03-2014 04:18 AM
To answer myself on this and possibly help others, I found a solution in this post: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/CPPM-AD-Authentication-Through-Multiple-Domains/m-p/53480/highlight/true#M4294
I added the AD as Authentication source 2 times into Clearpass, and one does auhtentication based on the sAMAccount name as pr default, and the second one uses the userPrincipalName as username by modifying the Filter attribute.
Now I can just add both authetntication sources to the service, and if the user is not found in the first one, it tries the next source, and that way I can use both SAM or UPN.