Security

Is there a recommended way to allow users to enroll for OnBoard certificates with different validity periods based on things like AD group membership?  For instance:

GroupA = 1 year validity period

GroubB  = 2 year validity period

Since the validity period is tied to the CA, I believe this would require multiple CA's in OnBoard, each with a unique device provisioning page.  Then a pre-auth service could use the "Page-Name" attribute along with user authorization info to control who is allowed to enroll for each CA.  

That makes sense to me, however I am scratching my head over OCSP validation in the EAP-TLS authenticaton method. Since you cannot have mutliple EAP methods of the same type within a service, it does not seem possible to achieve this scenario over a single SSID. 

Has anyone else implemented this, or is it simply not possible with ClearPass today?   

You can override the default certificate period by returning the radius attribute "Session-Timeout" in seconds based on when you want it to expire.

So your enforcement profile would look like this for 1 day (86400 seconds):

You would have A role for Group A and a Role for GroupB.  You would have an enforcement profile that sends back 31556926 as the session timeout (one year in seconds) and you would have a second enforcement profile built that sends back 63113851 as the session timeout.  Your enforcement POLICY would check to see if a user would have Group A's role or Group B's role, then return the enforcement policy that corresponds to each.

Thanks Colin! I am glad there is an easier way to accomplish this. 

xdrewpjx,

Make sure that enforcement policy/profile is added to the Onboard Authorization service.  

In addition, you can also indicate how many devices a user is allowed to onboard by returning the Aruba-Mdps-Max-Devices attribute:

Does this only work for RADIUS enforcement profiles?  I just tested this with an application enforcement profile and it did not appear to work.  I can see that the Session-Timeout attribute was applied in Access Tracker, however the certificate validity was not changed from the default.

I am running CP verion 6.3.2

Please add the attributes exactly like my example.

I may be ressurecting an old topic here, but how can we return radius attributes if the onboard authorization service is of type application? The only one that seems like it could be applied with RADIUS attributes is a Radius CoA enforement profile. Is this what it should be rather than a profile of type radius?

Still doesn't make sense to me how we can change a certificate validity after the fact once the certificate is issued, hashed, and signed. 

---

@OldGreg wrote:

Still doesn't make sense to me how we can change a certificate validity after the fact once the certificate is issued, hashed, and signed. 

---

You can use OCSP so that ClearPass will not allow a revoked certificate to authenticate successfully.  That option is in the EAP-TLS authentication method.

Yea I get OCSP for keeping revoked clients off the network, I am talking about the original posters question about the issuing process. Need a way to issue certificates with different validity periods from the same Onboard CA and the answer was around a session timeout returned in a radius attr rather than a way to actually issue the certificate with the desired validity based on group/role/user or otherwise. Just trying to clarify if this is possible or if we're stuck with the default validity of the Onboard CA config. 

OK thanks Tim. I was pretty sure that was true. Not sure where the previous post was going. In the future I am hoping Aruba offers support for building out a Root, multiple Intermediary CA hierarchy to support different settings per Int CA, whether it be for different requirements for different business units, groups of users, etc. Or at least give us the ability to provision different types of certificates from a single CA using more granualr provisioning settings, sort of like having multiple cert templates within MS ADCS.