Security

Reply
Frequent Contributor II
Posts: 114
Registered: ‎07-13-2015

Why it is important to use certificate comparison on Clearpass in EAP-TLS

Hey guys,

I discovered this a while ago and I thought I would share with you since this isn't something obvious and the consequences could be bad.

 

When you configure a client Wi-Fi profile, you can find an option called "Use a different user name for the connection". Just tick this box and re-connect to your EAP-TLS network.
ident.jpg

 

You will now be presented with a window like this *sorry mine is in french :) 

cert.png

 

Now the fun part begins.

Normaly, your authentication source will fetch the AD based on the User Principal Name or the SAMaccountName.

Say it fetches with the UPN, you should have a string like this :
(&(userPrincipalName=%{Authentication:Username})(objectClass=user))

So Clearpass expects that the Authentication username is the same as the UPN. 

In the identity white box field, if you authenticate people with UPN, type in the UPN of one employee you know which isn't in the same AD group and Wireless role as you and press ok.

You should see your entry in the access tracker with a successful authentication, this is normal. But, you should also see that your authorization is in fact the one of the identity you manually entered and not the one on your cert !

This basically means that a secretary could enter the identity of the CEO and gets derived into the CEO role.

This is why you want to compare the certificate with the identity provided. As of me, I do it manually with a specific condition which looks like this : rad.png

 

Mine is with Subject-AltName for specific reason but it normally would be with UPN or SAMaccountName

 

You can also do it with the Authentication method itself and use certificate comparison, just never had the chance to try it.

Hope this was useful.

ACMP, ACCP, BCNE
Search Airheads
Showing results for 
Search instead for 
Did you mean: