last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

802.1x and Windows CA question

Jump to Best Answer
  • 1.  802.1x and Windows CA question

    Posted Jun 19, 2014 05:32 AM


    I have a working setup with Aruba controller and clearpass 802.1x and EAP-TLS.

    Now I say working, with modifications. 

    The client have gone ahead and changed the UPN field in AD to the users email address, and there fore generated user certificates fails authentication against AD because it uses the email address as username. AD can't find the account.

    There are some ways around using user certificates, like Clearpass as Int CA, machine only authentication and so on.

    However I wondered if anyone have any experience of trying to use the sAMAccountName as subject name?


    Either in the teimplate directly, or as a interaction between "prodived in the request" option in the certificate template, and Group policy. 



  • 2.  RE: 802.1x and Windows CA question

    Posted Jun 19, 2014 07:01 AM
    Did you try stripping the domain in your service under the authentication tab?

  • 3.  RE: 802.1x and Windows CA question

    Posted Jun 19, 2014 07:29 AM


    yea I tried that, but it does no good.

    Example. We have a user named John Smith, and AD domain is Contoso. His account name would be something like Contoso\josm.

    At the same time his email address is

    Normally the UPN in AD would be josm (account name), now they have changed it to email address

    The issued user certificate now have alternative subject name, and this will be the username I see the computer tries to authenticate with through EAP-TLS. Now I can strip the domain, and be left with john.smith, but AD still don't know any account named john.smith, it knows about josm, or contoso\josm.


    To me it looks like a bad idea to change the UPN, since any solution using certificates as user authentication towards AD would face the same issue. Unless there is a way to use the sAMAccount as SAN field through the certificate template.


  • 4.  RE: 802.1x and Windows CA question
    Best Answer

    Posted Jul 03, 2014 07:18 AM

    To answer myself on this and possibly help others, I found a solution in this post:


    I added the AD as Authentication source 2 times into Clearpass, and one does auhtentication based on the sAMAccount name as pr default, and the second one uses the userPrincipalName as username by modifying the Filter attribute.  

    Now I can just add both authetntication sources to the service, and if the user is not found in the first one, it tries the next source, and that way I can use both SAM or UPN.