Security

last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

TLS CNs and matching with AD usernames

This thread has been viewed 2 times

  • 1.  TLS CNs and matching with AD usernames

    Posted Jun 13, 2018 08:01 AM

    I have some Role generation rules that assign specific Roles based upon whether a user is in a specific AD group e.g. "UoY NEtwork Group" role assignment if (Authorization:UoY AD Authentication:memberOf  CONTAINS cn=g0790stf,ou=Inst,ou=Groups,ou=UoY,DC=its,DC=york,DC=ac,DC=uk

     

    When creating eap-tls client certificates I set up the CN to be "userid-{4 digit hex number}@york.ac.uk"

     

    This sort of screws up the UoY Network Group Role "as userid-abcd@york.ac.uk" certainly isn't in that AD group.

     

    Is there any way of using a regex to strip out  my userid from the start of the Full-Username and use that when comparing against contents of an AD group 

     



  • 2.  RE: TLS CNs and matching with AD usernames

    EMPLOYEE
    Posted Jun 13, 2018 08:23 AM
    Is the fully qualified username correct in any part of the certificate?


  • 3.  RE: TLS CNs and matching with AD usernames
    Best Answer

    Posted Jun 21, 2018 04:28 AM

    Actually the solution was simple ( thanks to the PM I received from an Airheads user). All I had to do was replace

     

    user:@,\:user

     

    with 

     

    user:-,user:@,\:user

     

    in the service processsing the eap-tls stuff

     

    and it all worked, e.g. for CN=as1558-abcd@york.ac.uk the username becomes as1558, which is what we want

    Rgds

    Alex

     



  • 4.  RE: TLS CNs and matching with AD usernames

    Posted Jul 03, 2018 07:02 PM

    Thanks for the tip, that may work with a TLS vs. AD username problem I'm facing as well.