Security

Reply
Contributor I

Verify Onboard certificate MAC address

Hoping someone here might have an answer to this.  When a client is Onboarded, the MAC address of the device is placed into the SAN field (Certificate:Subject-AltName-DirName-OnboardMACAddress) of the certificate.  Is there a way either through a role mapping or through an enforcement policy to verify that the requesting device MAC (Connection:Client-Mac-Address-Colon) is the same MAC that is listed in the SAN? 

Guru Elite

Re: Verify Onboard certificate MAC address

Yes, you can, however not all iOS devices have the MAC in the cert.

 

certificate-mac-addr-match.png


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Verify Onboard certificate MAC address

Any hints on how to accomplish this?  Never mind, the image was not showing up.

Guru Elite

Re: Verify Onboard certificate MAC address

certificate-mac-addr-match.png


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Verify Onboard certificate MAC address

Thats the same configuration I have except it does not work.  Do you have any other ideas?

Guru Elite

Re: Verify Onboard certificate MAC address

Did you verify that the certificate has the SAN? Does it have multiple MAC addresses? You may need to change the operator to belongs_to or contains.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Verify Onboard certificate MAC address

I guess I lied when I said mine was the same. I was using EQUALS, should have been using EQUALS_IGNORE_CASE. 

 

Thanks for your help, working like it should.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: