Security

Reply
Occasional Contributor II
Posts: 16
Registered: ‎05-15-2014

Easier way to reference CA Certificates?

AirHeads:

I'm attempting to migrate our FreeRadius implementation to ClearPass - and while I have something working ... it's rather embarrasingly messy.

 

For example: in my main role map, I'm checking that the Certificate:Issuer-CN EQUALS "/CN=WPI NetOps Wireless CA...." using the full Certificate Path as the string match.  As I said it works, but I have these huge long strings which are subject to typos not easily discovered.  It gets worse when you want to add in both your production CA and test CA in the same BELONGS_TO in order to make sure either certificate gives the same results.

 

This seems rather silly, as I've already been able to upload the CA Certificate to the ClearPass appliance.  Is there any way to reference the CA I've uploaded rather than typing in the full certificate path?  Perhaps some shiny, happy click of a few checkboxes?

 

Thanks!

 

Benjamin J. Higgins (’97)
Worcester Polytechnic Institute
Guru Elite
Posts: 8,794
Registered: ‎09-08-2010

Re: Easier way to reference CA Certificates?

When used in a role map, that's likely the only way to get an exact match.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 16
Registered: ‎05-15-2014

Re: Easier way to reference CA Certificates?

Do I sense an RFE in the future for this particular UI challenge?

Benjamin J. Higgins (’97)
Worcester Polytechnic Institute
Guru Elite
Posts: 8,794
Registered: ‎09-08-2010

Re: Easier way to reference CA Certificates?

What would you be looking to key off of instead?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 16
Registered: ‎05-15-2014

Re: Easier way to reference CA Certificates?

In this particular case, it would be nice to simply be able to select from the CA Certificates already uploaded to CPPM to match against.  If you would like an example UI, create a Role Mapping rule for Authorization:Sources MATCHES_ANY.  That gives you a list of all the Auth Sources and the ability to simply select those you want to match against.  However, since you are likely to have many more CA certficates than Auth Sources, some sort of check box rather than CTRL-Click might be appropraite.

 

I don't have a problem matching on the Certificate Path - it's just a little unwieldy and prone to typos that aren't easily caught that wouldn't happen in a different interface.

Benjamin J. Higgins (’97)
Worcester Polytechnic Institute
Guru Elite
Posts: 8,794
Registered: ‎09-08-2010

Re: Easier way to reference CA Certificates?

This would definitely be an RFE.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 16
Registered: ‎05-15-2014

Re: Easier way to reference CA Certificates?

And the email is off to my SE.  Thanks Tim!

Benjamin J. Higgins (’97)
Worcester Polytechnic Institute
Search Airheads
Showing results for 
Search instead for 
Did you mean: