Security

 View Only
last person joined: 20 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

EAP-TLS and username changes in AD

Jump to Best Answer
This thread has been viewed 32 times
  • 1.  EAP-TLS and username changes in AD

    Posted Jun 30, 2022 06:02 PM

    Hello. Excuse my lack of specific knowledge, I am posting this for our engineer who manages this environment. We have Clearpass, Active Directory, and a Windows PKI. Domain users and domain computers are automatically enrolling in a certificate template provided via GPO. Everything works well unless one of our users needs to change his/her username due to marriage, divorce, etc... At that point we have to delete the cert from the local store and have the user log off / login again to get a new cert with the changed username. 

    Is this just something we need to live with or is there a better way to setup our environment... aside from machine only authentication. 

    Thanks


  • 2.  RE: EAP-TLS and username changes in AD

    Posted Jun 30, 2022 08:56 PM

    if you want to be perfect, yes you need to keep updating the user cert by 'regenerating' the cert.

    regen cert = locally delete and repull the new user cert by doing gpupdate /force

    but have you tried not to locally delete and repull the new one ? coz actually by my exp, authenticating with a not-up-to-date cert will still work, bcoz i presume in AD side you just need to change the person's full name due to her/his legal matter.


  • 3.  RE: EAP-TLS and username changes in AD

    Posted Jul 01, 2022 07:51 AM
    Unfortunately, not deleting/repulling a new cert leaves the user with limited network access requiring the manual intervention.


  • 4.  RE: EAP-TLS and username changes in AD

    Posted Jul 01, 2022 08:07 AM
    Correct.  You could disable Authorization for the EAP-TLS Authentication method.  As long as the user has a valid certificate (not expired or revoked) then ClearPass will permit them access to the network.  ClearPass then won't attempt to compare the certificate to an account in AD.  You would also need to remove any authorization conditions that reference AD groups too.


  • 5.  RE: EAP-TLS and username changes in AD

    Posted Jul 01, 2022 08:21 AM
    Good information. I appreciate the responses.

    I know this isn't the forum for a certificate question, but figure I will ask anyway...
    One question I have regarding this issue is any new user will pull a good cert. Why isn't a new cert pulled when the user logs in after a name change?


  • 6.  RE: EAP-TLS and username changes in AD

    Posted Jul 01, 2022 08:31 AM
    I just thought through my own question...
    The fact there is already a cert in the user's personal cert store.


  • 7.  RE: EAP-TLS and username changes in AD

    Posted Jul 01, 2022 10:26 PM
    There is only one case (so far thru my exp) that the cert will automatically get replaced by the new one (auto repull), which is... if the expiry date is extended (in Microsoft CA there is this option to auto-generate a new cert if its expiry date is near).


  • 8.  RE: EAP-TLS and username changes in AD
    Best Answer

    Posted Jun 30, 2022 08:56 PM
    Two Options:

    1. Do what you are doing today
    2. Switch to machine authentication
    The reason this doesn't work is because once the user's account name in AD changes, it no longer will match the certificate for the user on the computer.  So when ClearPass recevies the username from the CN (or SAN field or wherever) of the certificate, it will look up that user in AD.  This will fail since the username no longer exists in AD.


  • 9.  RE: EAP-TLS and username changes in AD

    Posted Jul 01, 2022 10:38 PM
    I just think of other option, maybe we can revoke the cert from the server ?
    You may try to explore OCSP thingy, but I am not entirely sure if : once you revoked, the old cert will still be there or not, and once the user re-login, will it repull a new cert or not, and then the last thing, will the user's endpoint authenticate using the revoked one or the new one it just repulls ... ?

    There is another alternative to OCSP, you can put CRL address in the clearpass and set to periodically query the CRL server about the revoked list.

    And one other thing you can try , is creating a new Authentication Method , and select what you want to compare against the cert attributes, as below:




  • 10.  RE: EAP-TLS and username changes in AD

    Posted Jul 03, 2022 09:36 AM
    Good suggestion. I don't know enough about how the auth method works to speak to this, but I will definitely run it by the engineer who manages our CP install. 

    Thank you!