AD is not designed to store device accounts outside of Windows AD-joined objects.
You can use the MAC address, cert serial, subject, or other cert property as a lookup value in the device database.
------------------------------
Tim C
------------------------------
Original Message:
Sent: Mar 30, 2021 11:13 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.
Add them to CPPM guest? Any benefits for using that instead of AD? As all the workstations that are logging to the network are already checked against AD anyway and it's used as an authentication source. Wouldn't you need to do MAC authentication in this case as there's no password except for MPSK password?
Original Message:
Sent: Mar 30, 2021 11:04 AM
From: Tim C
Subject: Automatic certificate assignment/renewal for printers etc.
No need to create AD accounts. Use device registration in CPPM.
------------------------------
Tim C
Original Message:
Sent: Mar 30, 2021 10:40 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.
I remember seeing devices that only allowed you to add certificates but no username/password. Also as it's our internal CA we can control I was hoping to pick the easy way and just authenticate based on certificate fields :) I guess we'd need to start adding user accounts to AD and then just issue similar certificates to all the devices
Original Message:
Sent: Mar 30, 2021 09:16 AM
From: Tim C
Subject: Automatic certificate assignment/renewal for printers etc.
A certificate should simply be a pointer / correlation handle to another data source. There is no need to use different certificate properties.
------------------------------
Tim C
Original Message:
Sent: Mar 30, 2021 06:42 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.
I thought we could get printers to get certificates from Microsoft NDES and then renew those when the expire. But it seems that you can pair NDES to only a single certificate template. I was hoping we could have different templates for printers, TVs, medical stuff etc. So when doing 802.1X EAP-TLS we could figure the correct user role from the certificate values.
Any ideas how we could do this, are the other SCEP softwares that could do this? Or is anyone doing something like this, or how do you configure certificates for the printers etc?