Security

Reply
Occasional Contributor I

OnBoard AD Group Authorization

Hello,

 

I'm wondering if the following is possible with OnBoard (single provisioning SSID):

 

We'd like to have have users authenticate via AD (EAP-PEAP) when on-boarding thier device but we want to put the users in different roles based on what AD group they are in once they are provisioned and authenticating with EAP-TLS.

 

Is it possible to write an attribute into the clients certificate (during the provisioning authorization service) process based on what AD group they belong to so that we can filter for that attribute when doing EAP-TLS authentication to dervie the correct role?

 

I can see that there is an option in provisioning settings under 'Web Logins' to enter a custom field that will be written into the client certificate, but my understadning is that this requires user input in the login page. What we're after is automatic mapping of AD group to client certificate attribute. Is this possible?

 

Many thanks, any assiatance is appreciated

Guru Elite

Re: OnBoard AD Group Authorization

It's not recommended to embed dynamic data like group membership into the certificate because then the information can easily become dated.

Instead, you can use AD as an authorization source and check group membership directly from Active Directory in real-time. This also allows you to verify whether the AD account for the user is still enabled.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: OnBoard AD Group Authorization

Thanks for your reply. This is the part that I'm confused about, if the user is provisioned and using EAP-TLS to authenticate with CP, how does CP know the users credentials to pass to the AD? Wouldn't the user only present their client certificate without AD credentials? Does CP cache the credentials from the first time they authenticate with EAP-PEAP and pass them on again at a later date?

Guru Elite

Re: OnBoard AD Group Authorization

ClearPass uses the AD bind account during authorization to pull the user properties based on the username in the certificate.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: