Security

Reply
Frequent Contributor I

Multiple Cert Validity Periods in OnBoard

Is there a recommended way to allow users to enroll for OnBoard certificates with different validity periods based on things like AD group membership?  For instance:

 

GroupA = 1 year validity period

GroubB  = 2 year validity period

 

Since the validity period is tied to the CA, I believe this would require multiple CA's in OnBoard, each with a unique device provisioning page.  Then a pre-auth service could use the "Page-Name" attribute along with user authorization info to control who is allowed to enroll for each CA.  

 

That makes sense to me, however I am scratching my head over OCSP validation in the EAP-TLS authenticaton method. Since you cannot have mutliple EAP methods of the same type within a service, it does not seem possible to achieve this scenario over a single SSID. 

 

Has anyone else implemented this, or is it simply not possible with ClearPass today?   

 

 

 

 

Guru Elite

Re: Multiple Cert Validity Periods in OnBoard

You can override the default certificate period by returning the radius attribute "Session-Timeout" in seconds based on when you want it to expire.

 

So your enforcement profile would look like this for 1 day (86400 seconds):

 

timeout.png

 

You would have A role for Group A and a Role for GroupB.  You would have an enforcement profile that sends back 31556926 as the session timeout (one year in seconds) and you would have a second enforcement profile built that sends back 63113851 as the session timeout.  Your enforcement POLICY would check to see if a user would have Group A's role or Group B's role, then return the enforcement policy that corresponds to each.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Multiple Cert Validity Periods in OnBoard

Thanks Colin! I am glad there is an easier way to accomplish this. 

 

Guru Elite

Re: Multiple Cert Validity Periods in OnBoard

xdrewpjx,

 

Make sure that enforcement policy/profile is added to the Onboard Authorization service.  

 

In addition, you can also indicate how many devices a user is allowed to onboard by returning the Aruba-Mdps-Max-Devices attribute:

 

max.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Multiple Cert Validity Periods in OnBoard

Does this only work for RADIUS enforcement profiles?  I just tested this with an application enforcement profile and it did not appear to work.  I can see that the Session-Timeout attribute was applied in Access Tracker, however the certificate validity was not changed from the default.

 

I am running CP verion 6.3.2

 

App-Enforcement-SessionTimeout.png

 

 Access-Tracker-SessionTimeout.png

Guru Elite

Re: Multiple Cert Validity Periods in OnBoard

Please add the attributes exactly like my example.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Multiple Cert Validity Periods in OnBoard

I may be ressurecting an old topic here, but how can we return radius attributes if the onboard authorization service is of type application? The only one that seems like it could be applied with RADIUS attributes is a Radius CoA enforement profile. Is this what it should be rather than a profile of type radius?

Occasional Contributor II

Re: Multiple Cert Validity Periods in OnBoard

Still doesn't make sense to me how we can change a certificate validity after the fact once the certificate is issued, hashed, and signed. 

Guru Elite

Re: Multiple Cert Validity Periods in OnBoard


OldGreg wrote:

Still doesn't make sense to me how we can change a certificate validity after the fact once the certificate is issued, hashed, and signed. 


 

You can use OCSP so that ClearPass will not allow a revoked certificate to authenticate successfully.  That option is in the EAP-TLS authentication method.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Multiple Cert Validity Periods in OnBoard

Yea I get OCSP for keeping revoked clients off the network, I am talking about the original posters question about the issuing process. Need a way to issue certificates with different validity periods from the same Onboard CA and the answer was around a session timeout returned in a radius attr rather than a way to actually issue the certificate with the desired validity based on group/role/user or otherwise. Just trying to clarify if this is possible or if we're stuck with the default validity of the Onboard CA config. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: