> Would it be fair to say that the certificate itself is a credential? My customer only uses
> machine certificates and therefore the AD lookup is disabled. CPPM is not configured in
> any way to communicate with AD.
Chris, absolutely.
To split hairs about it, the AD part of the authentication is actually step 2.
Step 1 of the authentication is the fact you accepted the certificate. By defintion a message that can be decrypted with a public key must have been encrypted by whomever had the private key. If you can read the message and you trust the CA of the cert you've already authenticated them.
Step 2 is authenticating an attribute of the cert against AD. Depending on the context this could be considered authorization not authentication. For example if you want to allow any cert on the network but apply a special role to certs belonging to AD users.
The clearpass way of doing things doesn't makes these distinctions clear. For example it would make sense to have an authentication source that is a list of trusted CAs for this service. Instead there is a global trust list and an implicit authentication of the cert.
So Chris what are you using as an authentication source for your service, given you have to have something in there?