Security

Longtime reader here and first time poster.....

I have just recently setup an EAP-TLS service, for both corporate laptops and corporate Apple iphones.

In a nutshell, I have things working with basic connectivity and functionality. So far so good, but now I am trying to make sure when the Iphones connect, they have to use the correct UPN to match their CN in the certificate.

Depending on the attribute I use for the AD source, it will either fail completely or match any UPN in AD to the machine certificate.

(&(objectClass=user)(userPrincipalName=%{Certificate:Subject-CN}))(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))

With the above, the UPN lookup fails, but if I change to OR, it will pass the lookup - the only problem is I can use someone elses UPN...

Any pointers would be great.

You query seems incomplete, unless there is an implicit AND or OR in LDAP queries... how I read it:

[ user-object AND userPrincipleName=Subject-CN ] [ user-object AND sAMAccountName=Username ]; I don't see an operator between those two blocks. If you want to enforce both, there may need to be an (& in the front and an additional ) at the end; unless there is an implicit AND if there are two parts in a query.

As the Subject-CN is part of the certificate, that cannot be modified (unless people are able to get certifcate for another user's CN, so the UPN query seems secure to me. The Authentication:Username is something that people can modify, unless you have 'Compare CN or SAN' in your EAP-TLS method.

It would be needed to have a deeper look into your certificates, mainly the difference between those for different devices, but if both have the userPrincipleName as the CN, (or as SAN-msUPN attribute) you could modify the query to just the first part and look up AD attributes based in just the information from the certificate. But as the full use-case or what you exactly want to achieve is not fully clear to me, it's hard to provide a more detailed answer.

Longtime reader here and first time poster.....

I have just recently setup an EAP-TLS service, for both corporate laptops and corporate Apple iphones.

In a nutshell, I have things working with basic connectivity and functionality. So far so good, but now I am trying to make sure when the Iphones connect, they have to use the correct UPN to match their CN in the certificate.

Depending on the attribute I use for the AD source, it will either fail completely or match any UPN in AD to the machine certificate.

(&(objectClass=user)(userPrincipalName=%{Certificate:Subject-CN}))(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))

With the above, the UPN lookup fails, but if I change to OR, it will pass the lookup - the only problem is I can use someone elses UPN...

Any pointers would be great.

Maybe I am trying to put this query together the wrong way.

The CN = email address in the certificate, and the UPN is not mentioned in the certificate anywhere. But my thing was if I can query both and have them match somehow.

The reason I have chosen to query the UPN against the CN is the Iphones will be using shared AD accounts which are not tied to an email address so having the user change the username field to an email is useless. I was really hoping the Iphone's could connect without the username field and just use the certificate.

You query seems incomplete, unless there is an implicit AND or OR in LDAP queries... how I read it:

[ user-object AND userPrincipleName=Subject-CN ] [ user-object AND sAMAccountName=Username ]; I don't see an operator between those two blocks. If you want to enforce both, there may need to be an (& in the front and an additional ) at the end; unless there is an implicit AND if there are two parts in a query.

As the Subject-CN is part of the certificate, that cannot be modified (unless people are able to get certifcate for another user's CN, so the UPN query seems secure to me. The Authentication:Username is something that people can modify, unless you have 'Compare CN or SAN' in your EAP-TLS method.

It would be needed to have a deeper look into your certificates, mainly the difference between those for different devices, but if both have the userPrincipleName as the CN, (or as SAN-msUPN attribute) you could modify the query to just the first part and look up AD attributes based in just the information from the certificate. But as the full use-case or what you exactly want to achieve is not fully clear to me, it's hard to provide a more detailed answer.

Longtime reader here and first time poster.....

I have just recently setup an EAP-TLS service, for both corporate laptops and corporate Apple iphones.

In a nutshell, I have things working with basic connectivity and functionality. So far so good, but now I am trying to make sure when the Iphones connect, they have to use the correct UPN to match their CN in the certificate.

Depending on the attribute I use for the AD source, it will either fail completely or match any UPN in AD to the machine certificate.

(&(objectClass=user)(userPrincipalName=%{Certificate:Subject-CN}))(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))

With the above, the UPN lookup fails, but if I change to OR, it will pass the lookup - the only problem is I can use someone elses UPN...

Any pointers would be great.

The query I've used for a very long time now:

(|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))

The UPN lookup, as can be seen in the LDAP query, is going to be based on the Username that is submitted as part of the authentication request.  This isn't a lookup on the certificate.  For instance, with Windows you have the option for identity privacy to set the outer username to an anonymous value but you can also override the username so that the supplicant doesn't use the information from the certificate for the authentication.

Highly recommend you not use a shared account.

Maybe I am trying to put this query together the wrong way.

The CN = email address in the certificate, and the UPN is not mentioned in the certificate anywhere. But my thing was if I can query both and have them match somehow.

The reason I have chosen to query the UPN against the CN is the Iphones will be using shared AD accounts which are not tied to an email address so having the user change the username field to an email is useless. I was really hoping the Iphone's could connect without the username field and just use the certificate.

You query seems incomplete, unless there is an implicit AND or OR in LDAP queries... how I read it:

[ user-object AND userPrincipleName=Subject-CN ] [ user-object AND sAMAccountName=Username ]; I don't see an operator between those two blocks. If you want to enforce both, there may need to be an (& in the front and an additional ) at the end; unless there is an implicit AND if there are two parts in a query.

As the Subject-CN is part of the certificate, that cannot be modified (unless people are able to get certifcate for another user's CN, so the UPN query seems secure to me. The Authentication:Username is something that people can modify, unless you have 'Compare CN or SAN' in your EAP-TLS method.

It would be needed to have a deeper look into your certificates, mainly the difference between those for different devices, but if both have the userPrincipleName as the CN, (or as SAN-msUPN attribute) you could modify the query to just the first part and look up AD attributes based in just the information from the certificate. But as the full use-case or what you exactly want to achieve is not fully clear to me, it's hard to provide a more detailed answer.

Longtime reader here and first time poster.....

I have just recently setup an EAP-TLS service, for both corporate laptops and corporate Apple iphones.

In a nutshell, I have things working with basic connectivity and functionality. So far so good, but now I am trying to make sure when the Iphones connect, they have to use the correct UPN to match their CN in the certificate.

Depending on the attribute I use for the AD source, it will either fail completely or match any UPN in AD to the machine certificate.

(&(objectClass=user)(userPrincipalName=%{Certificate:Subject-CN}))(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))

With the above, the UPN lookup fails, but if I change to OR, it will pass the lookup - the only problem is I can use someone elses UPN...

Any pointers would be great.

Thanks Carson, I'll give this a go today.

Is it possible to have Clearpass lookup the UPN, find the mail address in the AD account and compare that mail address to the CN name in the certificate.
That way, when that matches we know the end-user has to enter their own UPN and not just any that is within AD.

UPN comes to mind first as that is what most users have a habit of using to login, but we could also use the mail address as the username submitted for the query.

The shared account is an ongoing discussion and until they work out the best method for shift workers sharing devices I will stay out of the conversation :)

The query I've used for a very long time now:

(|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))

The UPN lookup, as can be seen in the LDAP query, is going to be based on the Username that is submitted as part of the authentication request.  This isn't a lookup on the certificate.  For instance, with Windows you have the option for identity privacy to set the outer username to an anonymous value but you can also override the username so that the supplicant doesn't use the information from the certificate for the authentication.

Highly recommend you not use a shared account.

Maybe I am trying to put this query together the wrong way.

The CN = email address in the certificate, and the UPN is not mentioned in the certificate anywhere. But my thing was if I can query both and have them match somehow.

The reason I have chosen to query the UPN against the CN is the Iphones will be using shared AD accounts which are not tied to an email address so having the user change the username field to an email is useless. I was really hoping the Iphone's could connect without the username field and just use the certificate.

You query seems incomplete, unless there is an implicit AND or OR in LDAP queries... how I read it:

[ user-object AND userPrincipleName=Subject-CN ] [ user-object AND sAMAccountName=Username ]; I don't see an operator between those two blocks. If you want to enforce both, there may need to be an (& in the front and an additional ) at the end; unless there is an implicit AND if there are two parts in a query.

As the Subject-CN is part of the certificate, that cannot be modified (unless people are able to get certifcate for another user's CN, so the UPN query seems secure to me. The Authentication:Username is something that people can modify, unless you have 'Compare CN or SAN' in your EAP-TLS method.

It would be needed to have a deeper look into your certificates, mainly the difference between those for different devices, but if both have the userPrincipleName as the CN, (or as SAN-msUPN attribute) you could modify the query to just the first part and look up AD attributes based in just the information from the certificate. But as the full use-case or what you exactly want to achieve is not fully clear to me, it's hard to provide a more detailed answer.

Longtime reader here and first time poster.....

I have just recently setup an EAP-TLS service, for both corporate laptops and corporate Apple iphones.

In a nutshell, I have things working with basic connectivity and functionality. So far so good, but now I am trying to make sure when the Iphones connect, they have to use the correct UPN to match their CN in the certificate.

Depending on the attribute I use for the AD source, it will either fail completely or match any UPN in AD to the machine certificate.

(&(objectClass=user)(userPrincipalName=%{Certificate:Subject-CN}))(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))

With the above, the UPN lookup fails, but if I change to OR, it will pass the lookup - the only problem is I can use someone elses UPN...

Any pointers would be great.

Shared devices should just be given a certificate that is basically tied to the device.  Easiest way to do this is to use an issuing CA that is there only for the purpose of issuing certificates for provisioned devices, preferably using a MDM solution.  Then you can authenticate and authorize the device onto the network based on that issuing CA rather than attempting to authorize the device against AD.

As for your question, using the modified LDAP query that includes the UPN lookup, once an account has been identified you can capture basically any attribute for that account to be used as part of authorization.  Use role mapping to validate the account's email address against whatever piece of the certificate is being extracted by ClearPass and then apply enforcement appropriately.

Thanks Carson, I'll give this a go today.

Is it possible to have Clearpass lookup the UPN, find the mail address in the AD account and compare that mail address to the CN name in the certificate.
That way, when that matches we know the end-user has to enter their own UPN and not just any that is within AD.

UPN comes to mind first as that is what most users have a habit of using to login, but we could also use the mail address as the username submitted for the query.

The shared account is an ongoing discussion and until they work out the best method for shift workers sharing devices I will stay out of the conversation :)

The query I've used for a very long time now:

(|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))

The UPN lookup, as can be seen in the LDAP query, is going to be based on the Username that is submitted as part of the authentication request.  This isn't a lookup on the certificate.  For instance, with Windows you have the option for identity privacy to set the outer username to an anonymous value but you can also override the username so that the supplicant doesn't use the information from the certificate for the authentication.

Highly recommend you not use a shared account.

Maybe I am trying to put this query together the wrong way.

The CN = email address in the certificate, and the UPN is not mentioned in the certificate anywhere. But my thing was if I can query both and have them match somehow.

The reason I have chosen to query the UPN against the CN is the Iphones will be using shared AD accounts which are not tied to an email address so having the user change the username field to an email is useless. I was really hoping the Iphone's could connect without the username field and just use the certificate.

You query seems incomplete, unless there is an implicit AND or OR in LDAP queries... how I read it:

[ user-object AND userPrincipleName=Subject-CN ] [ user-object AND sAMAccountName=Username ]; I don't see an operator between those two blocks. If you want to enforce both, there may need to be an (& in the front and an additional ) at the end; unless there is an implicit AND if there are two parts in a query.

As the Subject-CN is part of the certificate, that cannot be modified (unless people are able to get certifcate for another user's CN, so the UPN query seems secure to me. The Authentication:Username is something that people can modify, unless you have 'Compare CN or SAN' in your EAP-TLS method.

It would be needed to have a deeper look into your certificates, mainly the difference between those for different devices, but if both have the userPrincipleName as the CN, (or as SAN-msUPN attribute) you could modify the query to just the first part and look up AD attributes based in just the information from the certificate. But as the full use-case or what you exactly want to achieve is not fully clear to me, it's hard to provide a more detailed answer.

Longtime reader here and first time poster.....

I have just recently setup an EAP-TLS service, for both corporate laptops and corporate Apple iphones.

In a nutshell, I have things working with basic connectivity and functionality. So far so good, but now I am trying to make sure when the Iphones connect, they have to use the correct UPN to match their CN in the certificate.

Depending on the attribute I use for the AD source, it will either fail completely or match any UPN in AD to the machine certificate.

(&(objectClass=user)(userPrincipalName=%{Certificate:Subject-CN}))(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))

With the above, the UPN lookup fails, but if I change to OR, it will pass the lookup - the only problem is I can use someone elses UPN...

Any pointers would be great.

Unfortunately the shared iPhones need the username field aswell as the certificate in the request. 

This direction helps, and I've managed to get an enforcement profile to work I just say "Authentication:Username EXISTS" but as soon as I try to run a comparison on the two attributes it fails.


I've tried a combination of the above, or with the Username and Subject-CN in flipped positions and the result is the same. 

Shared devices should just be given a certificate that is basically tied to the device.  Easiest way to do this is to use an issuing CA that is there only for the purpose of issuing certificates for provisioned devices, preferably using a MDM solution.  Then you can authenticate and authorize the device onto the network based on that issuing CA rather than attempting to authorize the device against AD.

As for your question, using the modified LDAP query that includes the UPN lookup, once an account has been identified you can capture basically any attribute for that account to be used as part of authorization.  Use role mapping to validate the account's email address against whatever piece of the certificate is being extracted by ClearPass and then apply enforcement appropriately.

Thanks Carson, I'll give this a go today.

Is it possible to have Clearpass lookup the UPN, find the mail address in the AD account and compare that mail address to the CN name in the certificate.
That way, when that matches we know the end-user has to enter their own UPN and not just any that is within AD.

UPN comes to mind first as that is what most users have a habit of using to login, but we could also use the mail address as the username submitted for the query.

The shared account is an ongoing discussion and until they work out the best method for shift workers sharing devices I will stay out of the conversation :)

The query I've used for a very long time now:

(|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))

The UPN lookup, as can be seen in the LDAP query, is going to be based on the Username that is submitted as part of the authentication request.  This isn't a lookup on the certificate.  For instance, with Windows you have the option for identity privacy to set the outer username to an anonymous value but you can also override the username so that the supplicant doesn't use the information from the certificate for the authentication.

Highly recommend you not use a shared account.

Maybe I am trying to put this query together the wrong way.

The CN = email address in the certificate, and the UPN is not mentioned in the certificate anywhere. But my thing was if I can query both and have them match somehow.

The reason I have chosen to query the UPN against the CN is the Iphones will be using shared AD accounts which are not tied to an email address so having the user change the username field to an email is useless. I was really hoping the Iphone's could connect without the username field and just use the certificate.

You query seems incomplete, unless there is an implicit AND or OR in LDAP queries... how I read it:

[ user-object AND userPrincipleName=Subject-CN ] [ user-object AND sAMAccountName=Username ]; I don't see an operator between those two blocks. If you want to enforce both, there may need to be an (& in the front and an additional ) at the end; unless there is an implicit AND if there are two parts in a query.

As the Subject-CN is part of the certificate, that cannot be modified (unless people are able to get certifcate for another user's CN, so the UPN query seems secure to me. The Authentication:Username is something that people can modify, unless you have 'Compare CN or SAN' in your EAP-TLS method.

It would be needed to have a deeper look into your certificates, mainly the difference between those for different devices, but if both have the userPrincipleName as the CN, (or as SAN-msUPN attribute) you could modify the query to just the first part and look up AD attributes based in just the information from the certificate. But as the full use-case or what you exactly want to achieve is not fully clear to me, it's hard to provide a more detailed answer.

Longtime reader here and first time poster.....

I have just recently setup an EAP-TLS service, for both corporate laptops and corporate Apple iphones.

In a nutshell, I have things working with basic connectivity and functionality. So far so good, but now I am trying to make sure when the Iphones connect, they have to use the correct UPN to match their CN in the certificate.

Depending on the attribute I use for the AD source, it will either fail completely or match any UPN in AD to the machine certificate.

(&(objectClass=user)(userPrincipalName=%{Certificate:Subject-CN}))(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))

With the above, the UPN lookup fails, but if I change to OR, it will pass the lookup - the only problem is I can use someone elses UPN...

Any pointers would be great.

You're doing a literal comparison with the string Authentication:Username.  For string replacement you need to specify the variable and include the replacement instructions, e.g., %{Authentication:Username}.

Unfortunately the shared iPhones need the username field aswell as the certificate in the request. 

This direction helps, and I've managed to get an enforcement profile to work I just say "Authentication:Username EXISTS" but as soon as I try to run a comparison on the two attributes it fails.


I've tried a combination of the above, or with the Username and Subject-CN in flipped positions and the result is the same. 

Shared devices should just be given a certificate that is basically tied to the device.  Easiest way to do this is to use an issuing CA that is there only for the purpose of issuing certificates for provisioned devices, preferably using a MDM solution.  Then you can authenticate and authorize the device onto the network based on that issuing CA rather than attempting to authorize the device against AD.

As for your question, using the modified LDAP query that includes the UPN lookup, once an account has been identified you can capture basically any attribute for that account to be used as part of authorization.  Use role mapping to validate the account's email address against whatever piece of the certificate is being extracted by ClearPass and then apply enforcement appropriately.

Thanks Carson, I'll give this a go today.

Is it possible to have Clearpass lookup the UPN, find the mail address in the AD account and compare that mail address to the CN name in the certificate.
That way, when that matches we know the end-user has to enter their own UPN and not just any that is within AD.

UPN comes to mind first as that is what most users have a habit of using to login, but we could also use the mail address as the username submitted for the query.

The shared account is an ongoing discussion and until they work out the best method for shift workers sharing devices I will stay out of the conversation :)

The query I've used for a very long time now:

(|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))

The UPN lookup, as can be seen in the LDAP query, is going to be based on the Username that is submitted as part of the authentication request.  This isn't a lookup on the certificate.  For instance, with Windows you have the option for identity privacy to set the outer username to an anonymous value but you can also override the username so that the supplicant doesn't use the information from the certificate for the authentication.

Highly recommend you not use a shared account.

Maybe I am trying to put this query together the wrong way.

The CN = email address in the certificate, and the UPN is not mentioned in the certificate anywhere. But my thing was if I can query both and have them match somehow.

The reason I have chosen to query the UPN against the CN is the Iphones will be using shared AD accounts which are not tied to an email address so having the user change the username field to an email is useless. I was really hoping the Iphone's could connect without the username field and just use the certificate.

You query seems incomplete, unless there is an implicit AND or OR in LDAP queries... how I read it:

[ user-object AND userPrincipleName=Subject-CN ] [ user-object AND sAMAccountName=Username ]; I don't see an operator between those two blocks. If you want to enforce both, there may need to be an (& in the front and an additional ) at the end; unless there is an implicit AND if there are two parts in a query.

As the Subject-CN is part of the certificate, that cannot be modified (unless people are able to get certifcate for another user's CN, so the UPN query seems secure to me. The Authentication:Username is something that people can modify, unless you have 'Compare CN or SAN' in your EAP-TLS method.

It would be needed to have a deeper look into your certificates, mainly the difference between those for different devices, but if both have the userPrincipleName as the CN, (or as SAN-msUPN attribute) you could modify the query to just the first part and look up AD attributes based in just the information from the certificate. But as the full use-case or what you exactly want to achieve is not fully clear to me, it's hard to provide a more detailed answer.

Longtime reader here and first time poster.....

I have just recently setup an EAP-TLS service, for both corporate laptops and corporate Apple iphones.

In a nutshell, I have things working with basic connectivity and functionality. So far so good, but now I am trying to make sure when the Iphones connect, they have to use the correct UPN to match their CN in the certificate.

Depending on the attribute I use for the AD source, it will either fail completely or match any UPN in AD to the machine certificate.

(&(objectClass=user)(userPrincipalName=%{Certificate:Subject-CN}))(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))

With the above, the UPN lookup fails, but if I change to OR, it will pass the lookup - the only problem is I can use someone elses UPN...

Any pointers would be great.