Security

Reply
Contributor I

EAP-TLS policy enforcement - what to check for?

We're deploying a wired EAP-TLS implementation that will use machine auth only.  So far the idea is to check for three things about the client certificate before granting access to a machine:

 

1. Must be issued by our ADCS

2. Must not be expired

3. Must not be revoked

 

From the documentation, it seems we have to set up an OCSP responder to verify #3.  Since we're not using user auth, we have deselected "Authorization Required" in the Authentication Method. 

 

To check for #2, in the enforcement policy, I have something like "Certificate:Not-Valid-After  GREATER_THAN  2018-06-05 11:51:12", but that uses a fixed date!  How do we check if the certificate has expired?

 

Also, I'm looking for more info about the 'certificate comparison' feature in the auth method.  What does this do?

 

Any suggestions on more details to check besides the 3 listed?

 

Thanks in advance!  

Contributor I

Re: EAP-TLS policy enforcement - what to check for?

Hmmm... perhaps I asked too many questions at once.  Any feedback on any part of this question would thoroughly appreciated.

Guru Elite

Re: EAP-TLS policy enforcement - what to check for?

1) This can be done in policy by checking the Issuer CN or DN

2) This is automatically checked. An expired certificate will fail

3) CRL can also be used and is enabled by default in ADCS environments


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: EAP-TLS policy enforcement - what to check for?

That's great.  Thanks again Tim!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: