Security

Reply
Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Striping prefix \ suffix clearpass

Hello,

I would like to strip the prefix and the suffix of my machine authentication as the full name is not in the active directory.

I was able to do it for users but not machines.

Currently I have host/computername.domain.net

I would like to strip the host/ and the domain.net

for users I did user:@ but how can I achieve this for machines.

Thanks.

 

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Striping prefix \ suffix clearpass

There should be no need to strip the host or the domain name portion when doing machine authentication through CPPM to AD on the backend; I have this working in some environments.  If it is failing, what does the Alerts tab say for the failed event under Access Tracker?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: Striping prefix \ suffix clearpass

he claims that the user is not found although its a computer certificate.

AD_Authentication - x.y.a.b: User not found.
EAP-TLS: Authentication failure, unknown user

Guru Elite
Posts: 21,040
Registered: ‎03-29-2007

Re: Striping prefix \ suffix clearpass

Who issued the certificate?  What CA?  CPPM might be looking up the "user" in the CN and trying to find it in AD.  You might want to make a copy of the EAP-TLS method and in the copy, uncheck "authorization".

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: Striping prefix \ suffix clearpass

yes!

thanks alot.

i totally didnt think about it.

 

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: Striping prefix \ suffix clearpass

sorry to bother again, can you please explain this?

now i got the certificate working fine \ user and computer certificate.

 

Guru Elite
Posts: 21,040
Registered: ‎03-29-2007

Re: Striping prefix \ suffix clearpass

I am only guessing here, because I do not know your deployment:

 

In the EAP-TLS method, there is an option to ensure that the "user" in the certificate actually exists in active directory.  What field you actually compare to a user is also configurable in the EAP-TLS method.  It is a way to ensure that the "user" that the certificate was issued to actually exists.  When you turn this on, you need to make sure that the right field in the certificate is compared against the user, otherwise it will not work.  You can turn this off and as long as the certificate has not expired, it will allow the device to get on.

 

EAP-TLS quite frankly can be very involved, so I am only speaking generally.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: Striping prefix \ suffix clearpass

I get the point,

what I care mostly is to authenticate the machine and less the user, we will issue computer certificate with custom attribute to verify vs. the active directory.

Guru Elite
Posts: 21,040
Registered: ‎03-29-2007

Re: Striping prefix \ suffix clearpass

Well, you don't need to accomplish machine-only with TLS and client-side certificates.  You can accomplish this with regular PEAP.

 

You can set up a group policy where only the machine authenticates on the wireless side:  http://support.microsoft.com/kb/929847  You can also accomplish this with group policy:  http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: Striping prefix \ suffix clearpass

i wanted the TLS for extra security.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: