Security

 View Only

  • 1.  Extract identity from user certificate for non-domain devices

    Posted Sep 11, 2024 10:57 AM

    Dear All,

    I am relatively new to Aruba and have been trying to figure out how to configure which certificate field should be used as the identity information when using EAP-TLS.

    The devices we need to authenticate are not domain members, but rather printers and phones, which have an "EAP Identity" field in their GUI. However, instead of using this field, we would like to use the Common Name (CN) field from their certificate as the identity.

    The reason for this is that the certificates are unique, while the "EAP Identity" field can be modified by anyone. If multiple devices have the same string in that field, the logs could become confusing and difficult to manage.

    Any guidance on how to configure this in ClearPass would be greatly appreciated.

    Thank you.

    Best regards,
    Norbert



  • 2.  RE: Extract identity from user certificate for non-domain devices

    Posted Sep 11, 2024 03:03 PM

    I'm going to guess that "EAP Identity" is what comes across the request as the Radius:IETF:User-Name attribute.

    Get one of the devices to authenticate with EAP-TLS and the username set to whatever you like.  Look at the session in the Access Tracker, then drill into what certificate information was extracted by looking at Input > Computed Attributes.

    Use those attributes, specifically the Certificate ones, as needed for authorization or potentially custom queries.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 3.  RE: Extract identity from user certificate for non-domain devices

    Posted Sep 12, 2024 09:39 AM
    I normally look at the cert cn to create a Role and then an enforcement policy based upon that role

    Something of form

    If (
    Authentication:OuterMethod EQUALS EAP-TLS
    AND
    Radius:IETF:NAS-Port-Type equals Wireless-802.11 (19))
    AND
    Certificate:Subject CN Begins With <whatever prefix="" we’ve="" added="" to="" our="" cns="">
    )
    <assign appropriate="" role="">

    Thern act upon role in Enforcement

    (Tips:Role EQUALS “This is an appropriate role”)
    Actions
    …….


    Rgds
    Alex


    Original Message


  • 4.  RE: Extract identity from user certificate for non-domain devices

    Posted Sep 12, 2024 09:47 AM

    I'm curious, why are you testing on NAS-Port-Type in a role mapping?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 5.  RE: Extract identity from user certificate for non-domain devices

    Posted Sep 12, 2024 10:32 AM
    Only. For wifi connected devices
    Just making sure
    :-)
    A


    Original Message


  • 6.  RE: Extract identity from user certificate for non-domain devices

    Posted Sep 12, 2024 11:05 AM

    Ah.  But you are filtering the service on that same attribute, right?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 7.  RE: Extract identity from user certificate for non-domain devices

    Posted Sep 12, 2024 11:13 AM
    Yup but got common  role and enforcement  stuff
    A
    Sent from my iPhone



    Original Message


  • 8.  RE: Extract identity from user certificate for non-domain devices

    Posted Sep 12, 2024 11:20 AM

    Ah, that makes more sense then.  I've been bitten by using common items too many times to go that route anymore.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 9.  RE: Extract identity from user certificate for non-domain devices

    Posted Sep 12, 2024 11:38 AM
    Use both depending on requirements. But on general the role generated will have. “Wired” and “wifi” somewhere in there as well to help with enforcement

    A


    Original Message


Related Content