Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Extract identity from user certificate for non-domain devices

This thread has been viewed 17 times
  • 1.  Extract identity from user certificate for non-domain devices

    Posted 30 days ago

    Dear All,

    I am relatively new to Aruba and have been trying to figure out how to configure which certificate field should be used as the identity information when using EAP-TLS.

    The devices we need to authenticate are not domain members, but rather printers and phones, which have an "EAP Identity" field in their GUI. However, instead of using this field, we would like to use the Common Name (CN) field from their certificate as the identity.

    The reason for this is that the certificates are unique, while the "EAP Identity" field can be modified by anyone. If multiple devices have the same string in that field, the logs could become confusing and difficult to manage.

    Any guidance on how to configure this in ClearPass would be greatly appreciated.

    Thank you.

    Best regards,
    Norbert



  • 2.  RE: Extract identity from user certificate for non-domain devices

    EMPLOYEE
    Posted 30 days ago

    I'm going to guess that "EAP Identity" is what comes across the request as the Radius:IETF:User-Name attribute.

    Get one of the devices to authenticate with EAP-TLS and the username set to whatever you like.  Look at the session in the Access Tracker, then drill into what certificate information was extracted by looking at Input > Computed Attributes.

    Use those attributes, specifically the Certificate ones, as needed for authorization or potentially custom queries.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: Extract identity from user certificate for non-domain devices

    MVP EXPERT
    Posted 29 days ago
    I normally look at the cert cn to create a Role and then an enforcement policy based upon that role

    Something of form

    If (
    Authentication:OuterMethod EQUALS EAP-TLS
    AND
    Radius:IETF:NAS-Port-Type equals Wireless-802.11 (19))
    AND
    Certificate:Subject CN Begins With <whatever prefix="" we’ve="" added="" to="" our="" cns="">
    )
    <assign appropriate="" role="">

    Thern act upon role in Enforcement

    (Tips:Role EQUALS “This is an appropriate role”)
    Actions
    …….


    Rgds
    Alex




  • 4.  RE: Extract identity from user certificate for non-domain devices

    EMPLOYEE
    Posted 29 days ago

    I'm curious, why are you testing on NAS-Port-Type in a role mapping?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: Extract identity from user certificate for non-domain devices

    MVP EXPERT
    Posted 29 days ago
    Only. For wifi connected devices
    Just making sure
    :-)
    A




  • 6.  RE: Extract identity from user certificate for non-domain devices

    EMPLOYEE
    Posted 29 days ago

    Ah.  But you are filtering the service on that same attribute, right?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 7.  RE: Extract identity from user certificate for non-domain devices

    MVP EXPERT
    Posted 29 days ago
    Yup but got common  role and enforcement  stuff
    A
    Sent from my iPhone





  • 8.  RE: Extract identity from user certificate for non-domain devices

    EMPLOYEE
    Posted 29 days ago

    Ah, that makes more sense then.  I've been bitten by using common items too many times to go that route anymore.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 9.  RE: Extract identity from user certificate for non-domain devices

    MVP EXPERT
    Posted 29 days ago
    Use both depending on requirements. But on general the role generated will have. “Wired” and “wifi” somewhere in there as well to help with enforcement

    A