What you are describing is not TLS recommended practices according to the PRC6216 standard.
It states :
o It is no longer recommended that the identity presented in the
EAP-Response/Identity be compared to the identity provided in the
peer certificate.
Further,
It is RECOMMENDED that the Identity Response be used primarily for
routing purposes and selecting which EAP method to use. EAP
Methods SHOULD include a method-specific mechanism for obtaining
the identity, so that they do not have to rely on the Identity
Response.
It iS possible to configure ClearPass to use the certificate Subject-CN for authentication & authorization, but it is not the normal configuration.
I personally recommend anyone configuring ClearPass for EAP-TLS familiarize themselves with the standard. https://www.rfc-editor.org/rfc/rfc5216.txt
------------------------------
Bruce Osborne ACCP ACMP
Liberty University
The views expressed here are my personal views and not those of my employer
------------------------------
Original Message:
Sent: May 26, 2023 11:20 AM
From: Herman Robers
Subject: ClearPass EAP-TLS Certificate Comparison
What ahollifield describes is the Authorization checkbox in the EAP-TLS Method. The Compare (CN/DN/SAN/CN-SAN) compares the username that is sent to a field in the certificate. With EAP-TLS the client can select an arbitrary username that is used, and without comparison that name is then used to lookup authorization in AD/Intune. With the comparison enabled, if the username sent does not match the field, the authentication will fail. For me with Intune the Compare CN or SAN works fine, as long as the username sent matches the UPN/E-mail. The CN for Intune should be set to the Intune Device ID, so that won't match and with a Compare CN the authentication is supposed to fail.
Long story, but failing compare between the username sent and the selected fields in the certificates will reject the authentication to avoid username spoofing.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: May 23, 2023 02:10 AM
From: harutyun.hakobyan
Subject: ClearPass EAP-TLS Certificate Comparison
Intune devices are not domain joined and there are not corresponding objects in Active Directory.
Original Message:
Sent: May 22, 2023 02:16 PM
From: ahollifield
Subject: ClearPass EAP-TLS Certificate Comparison
Traditionally this is used to compare a value from one of the certificate fields to an object in Active Directory. Not sure how this plays into an InTune device, or if this option is even possible.
Original Message:
Sent: May 22, 2023 10:12 AM
From: harutyun.hakobyan
Subject: ClearPass EAP-TLS Certificate Comparison
Hi All,
What does it mean Compare Subject Alternate Name (SAN) in ClearPass EAP-TLS Certificate Comparison?
Client is MS Intune device and client certificate has SAN.
Thanks