Security

Reply
Occasional Contributor II
Posts: 41
Registered: ‎12-09-2016

EAP-TLS Authorization Required

I've been looking through the forums and from what I can understand, the "Authorization Required" option in the "Edit Authentication Method" box is to compare the Username in the certificate agianst AD. Is this correct?  Does this add additional security? What is a good use case for this?


Also, I've tried to enable it and when I do, I get an error in the logs saying that the user can't be found. When I uncheck/disable it, it authenticates just fine. Trying to fiure out what might be the issue.

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: EAP-TLS Authorization Required

EAP-TLS essentially has it’s own authorization as part of the Authentication phase, then it moves onto traditional authorization. If you’re receiving an error, it’s likely that you need to compare a different field or username format.

Please post screenshots of the alert and summary tabs from access tracker.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 41
Registered: ‎12-09-2016

Re: EAP-TLS Authorization Required

Thanks Tim for the info.


Please see the errors/logs attached.

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: EAP-TLS Authorization Required

Is your AD auth source configured for both sAMAccountName and userPrincipalName?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 41
Registered: ‎12-09-2016

Re: EAP-TLS Authorization Required

It looks to be just sAMAccountName. But I don't know much about setting up attributes. I've attached what I beleive you are asking for. If I need to add userPrincipalName, is this done in the "Filter Query" under the Filter Name...which we have labeled "Authentication"? And is it either or? Or both? ...like both sAMAccountName and userPrincipalName? Thanks!

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: EAP-TLS Authorization Required

First confirm in AD that the username presented is indeed the user's UPN.

 

If you want to support both username formats, replace your Authentication filter query with:

(|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))

Ideally, you should choose one username format from a user experience standpoint. Fully qualified username (UPN) is always my recommendation these days.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba Employee
Posts: 18
Registered: ‎04-28-2009

Re: EAP-TLS Authorization Required

If you have enabled Username strip in the 802.1x service, please disable and try EAP TLS authentication with authorization enabled. Also, please make sure that you have added the correct AD authentication source in the 802.1x service.

Occasional Contributor II
Posts: 41
Registered: ‎12-09-2016

Re: EAP-TLS Authorization Required

This worked! Thanks for the help! 

Search Airheads
Showing results for 
Search instead for 
Did you mean: