Use both depending on requirements. But on general the role generated will have. “Wired” and “wifi” somewhere in there as well to help with enforcement
Original Message:
Sent: 9/12/2024 11:20:00 AM
From: chulcher
Subject: RE: Extract identity from user certificate for non-domain devices
Ah, that makes more sense then. I've been bitten by using common items too many times to go that route anymore.
------------------------------
Carson Hulcher, ACEX#110
------------------------------
Original Message:
Sent: Sep 12, 2024 11:12 AM
From: alexs-nd
Subject: Extract identity from user certificate for non-domain devices
Yup but got common role and enforcement stuff
Original Message:
Sent: 9/12/2024 11:05:00 AM
From: chulcher
Subject: RE: Extract identity from user certificate for non-domain devices
Ah. But you are filtering the service on that same attribute, right?
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Sep 12, 2024 10:31 AM
From: alexs-nd
Subject: Extract identity from user certificate for non-domain devices
Only. For wifi connected devices
Just making sure
:-)
A
Original Message:
Sent: 9/12/2024 9:47:00 AM
From: chulcher
Subject: RE: Extract identity from user certificate for non-domain devices
I'm curious, why are you testing on NAS-Port-Type in a role mapping?
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Sep 12, 2024 09:39 AM
From: alexs-nd
Subject: Extract identity from user certificate for non-domain devices
I normally look at the cert cn to create a Role and then an enforcement policy based upon that role
Something of form
If (
Authentication:OuterMethod EQUALS EAP-TLS
AND
Radius:IETF:NAS-Port-Type equals Wireless-802.11 (19))
AND
Certificate:Subject CN Begins With <whatever prefix="" we've="" added="" to="" our="" cns="">
)
<assign appropriate="" role="">
Thern act upon role in Enforcement
(Tips:Role EQUALS "This is an appropriate role")
Actions
…….
Rgds
Alex
Original Message:
Sent: 9/11/2024 5:19:00 AM
From: NorbertSzantai
Subject: Extract identity from user certificate for non-domain devices
Dear All,
I am relatively new to Aruba and have been trying to figure out how to configure which certificate field should be used as the identity information when using EAP-TLS.
The devices we need to authenticate are not domain members, but rather printers and phones, which have an "EAP Identity" field in their GUI. However, instead of using this field, we would like to use the Common Name (CN) field from their certificate as the identity.
The reason for this is that the certificates are unique, while the "EAP Identity" field can be modified by anyone. If multiple devices have the same string in that field, the logs could become confusing and difficult to manage.
Any guidance on how to configure this in ClearPass would be greatly appreciated.
Thank you.
Best regards,
Norbert
</assign></whatever>