08-18-2016 08:52 AM
I discovered this a while ago and I thought I would share with you since this isn't something obvious and the consequences could be bad.
When you configure a client Wi-Fi profile, you can find an option called "Use a different user name for the connection". Just tick this box and re-connect to your EAP-TLS network.
You will now be presented with a window like this *sorry mine is in french :)
Now the fun part begins.
Normaly, your authentication source will fetch the AD based on the User Principal Name or the SAMaccountName.
Say it fetches with the UPN, you should have a string like this :
So Clearpass expects that the Authentication username is the same as the UPN.
In the identity white box field, if you authenticate people with UPN, type in the UPN of one employee you know which isn't in the same AD group and Wireless role as you and press ok.
You should see your entry in the access tracker with a successful authentication, this is normal. But, you should also see that your authorization is in fact the one of the identity you manually entered and not the one on your cert !
This basically means that a secretary could enter the identity of the CEO and gets derived into the CEO role.
This is why you want to compare the certificate with the identity provided. As of me, I do it manually with a specific condition which looks like this :
Mine is with Subject-AltName for specific reason but it normally would be with UPN or SAMaccountName
You can also do it with the Authentication method itself and use certificate comparison, just never had the chance to try it.
Hope this was useful.