Security

Reply
Regular Contributor I
Posts: 180
Registered: ‎12-17-2008

Any workaround for EAP-TLS forcing a username check against an auth source?

I am building an EAP-TLS service.Have done this many times before and normally check the CN in the certificate against another source such as Active Directory.

However in this project there will be potentially tens of different origins of valid certificates, and there is no single auth source to check them against. Moreover we don't actually want to check any client CNs at all - we only care about other attributes of the certificate which will be checked in the enforcement stage.

And we don't want to maintain any list of valid client CNs as there will be thousands and they are managed separately.

Bottom line, Clearpass requires we select an authentication source in the service definition. The certificate CN gets mapeed to Authentication:Username and checked against this source. Is there a workaround where Clearppas can accept any CN without checking an auth source?

 


--
ACMA ACMP
Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Any workaround for EAP-TLS forcing a username check against an auth source?

Created a custom auth method and disable comparison and authorization. Then just throw AD in there because you have to define a source.

Sent from Nine<>

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 180
Registered: ‎12-17-2008

Re: Any workaround for EAP-TLS forcing a username check against an auth source?

Perfect. I added Local User Repository which is empty and works fine.

 

I almost looked up what that checkbox did, but the term authorization threw me - not quite the correct term to use there. 

 

thanks Cappalli


--
ACMA ACMP
Search Airheads
Showing results for 
Search instead for 
Did you mean: