Note that for EAP-TLS there is not actually an authentication against AD, as the client certificate is authenticated on the ClearPass server itself against the EAP enabled CAs in the Trust List.
If you want to check the object in AD (if you don't care, disable Authorization on the EAP-TLS method and you are done), check the LDAP query that is sent to your AD. By default, the query is:
(&(sAMAccountName=%{Authentication:Username})(objectClass=user))
Which checks the username sent by the client against an object in AD with the sAMAccountName (which is the AD username) and of objectClass=user. If you created another objectClass, or if the sAMAccountName does not match what the client sends as username (check the Username in Access Tracker), there will not be a match. With an LDAP Query tool you could connect to your AD and create a specific query to match the objects that you created for your Macs in AD. You may check this video that explains a modified query to check based on the UPN or User email in AD instead of the sAMAccountName.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Dec 05, 2022 01:16 PM
From: Chad Jones
Subject: EAP-TLS Error 215 - MAC OS
We're not AD-bound, and have in fact experience adverse events when AD-bound (password reset loops, etc). We're not using user auth at all-strictly machine, thus I've had to create placeholder object in AD, manually modifying them with the attributes Aruba seems to be looking for (primarily $servicePrincipalName), because it is authing against AD lookups it seems.
Original Message:
Sent: 12/5/2022 4:29:00 AM
From: Herman Robers
Subject: RE: EAP-TLS Error 215 - MAC OS
Unfortunately I don't have a test setup available to check this. I don't see a lot of deployments with AD joined Macs myself either, so it may be hard to get a lot of experience here.
As long as you get a client certificate on your client, and can extract the username (user authentication) or computer name (machine authentication) to be validated to AD, you should be good.
How does the username and certificate look like of you follow the best practices? It may be trivial from there to create an AD Authentication source that leverages the CN or other attribute in the certificate to do the lookup. If you don't need the lookup in AD (for authorization attributes because all clients will get the same access/enforcement), but rely on OCSP/CRL for validating that the client certificate is still active/not revoked, you can leave out the Authorization from your EAP-TLS and avoid the lookup at all.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 01, 2022 07:59 PM
From: Chad Jones
Subject: EAP-TLS Error 215 - MAC OS
Is this still the case in 2022? According to Apple best practices (last I heard) binding is a no-go, and Jamf indicates if one is using ADCS that the cert request template should be set to "Supply in the Request." Would this still work and/or are those checkboxes exposed when set to supply in? Thanks!
Original Message:
Sent: Jun 19, 2017 10:49 PM
From: Tim Cappalli
Subject: EAP-TLS Error 215 - MAC OS
OK, so here's the working combo
Certificate Template
- Clone the default Computer template, call it "Computer - Mac SPN"
- Subject Name tab:
- Subject name format: Fully distinguished name
- Include Service Principal name (SPN) in alternate subject name
- Activate the template
- Change Mac management config profile to reference new template
ClearPass Authentication Methods
- Create a new EAP method, type EAP-TLS
- Authorization Required: Enable
- Certificate Comparison: Compare Subject Alternative Name
- OCSP configuration varies based on your environment
ClearPass Service
That should work.
You may want to add additional rules that check certificate properties like Subject-DN ENDS_WITH < computer OU >