I just think of other option, maybe we can revoke the cert from the server ?
You may try to explore OCSP thingy, but I am not entirely sure if : once you revoked, the old cert will still be there or not, and once the user re-login, will it repull a new cert or not, and then the last thing, will the user's endpoint authenticate using the revoked one or the new one it just repulls ... ?
There is another alternative to OCSP, you can put CRL address in the clearpass and set to periodically query the CRL server about the revoked list.
And one other thing you can try , is creating a new Authentication Method , and select what you want to compare against the cert attributes, as below:
Sent: Jun 30, 2022 04:20 PM
From: Gideon Kane
Subject: EAP-TLS and username changes in AD
Hello. Excuse my lack of specific knowledge, I am posting this for our engineer who manages this environment. We have Clearpass, Active Directory, and a Windows PKI. Domain users and domain computers are automatically enrolling in a certificate template provided via GPO. Everything works well unless one of our users needs to change his/her username due to marriage, divorce, etc... At that point we have to delete the cert from the local store and have the user log off / login again to get a new cert with the changed username.
Is this just something we need to live with or is there a better way to setup our environment... aside from machine only authentication.