Security

Reply
Regular Contributor I

Authorising devices with ":n:Onboarddevice" username

Have just implemented an onboard solution but we've now lost the ability to put users into roles based on their AD username since the android network settings replace this with ":n:Onboarddevice"

 

I notice that the common name on each user's cert is still their AD username. Is it possible to use this attribute of the certificate in an enforcement policy using AD authorization?


--
ACMA ACMP

Re: Authorising devices with ":n:Onboarddevice" username

You should be able to.  Are you using TLS for Onboard?  If so, then the username within the TLS cert is preserved and then used for AD authorization.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Guru Elite

Re: Authorising devices with ":n:Onboarddevice" username

The identity is still passed as the user's username. The certificate is simply their secured password. Do you have AD as an authorization source in your EAP-TLS service?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Authorising devices with ":n:Onboarddevice" username

So this mainly affects android which still uses PEAPafter onboarding.

 

Our ios devices sitll have the correct username, but definitely the outer identity is being replaced with ":n:Onboardevice" for all android certs, where 'n' is the serial number of the certificate being created by onboard.

 

How can I access the common name attribute in the cert? It's not present under the onboard devices repo.

 

edit: screenshot for proof :)


--
ACMA ACMP

Re: Authorising devices with ":n:Onboarddevice" username

Can you please try to use TLS for the Android devices as well?  

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Guru Elite

Re: Authorising devices with ":n:Onboarddevice" username

What version are you running?

Android should be using TLS as well.

The certificate information is available under the "Certificate" source.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Authorising devices with ":n:Onboarddevice" username

Ok thought it was just a limitation.. will try changing to TLS in the network protocol settings..

This customer is running latest 6.3.4.

cheers


--
ACMA ACMP
Regular Contributor I

Re: Authorising devices with ":n:Onboarddevice" username

It worked, kudos to you both.

 

Probably the default settings for android (and windows?) should be updated to TLS.

 

 


--
ACMA ACMP
Aruba

Re: Authorising devices with ":n:Onboarddevice" username

As of 6.4 all the defaults for network settings are TLS

 

Screen Shot 2014-08-07 at 12.15.08 AM.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: